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Abstract 

The  Cryptographic  Protocol  Shapes  Analyzer  (cpsa)  is  a  program  for  au¬ 
tomatically  characterizing  the  possible  executions  of  a  protocol  compatible 
with  a  specified  partial  execution.  This  paper  presents  a  mathematically 
rigorous  theory  that  backs  up  the  implementation  of  CPSA  in  Haskell,  and 
proves  the  algorithm  produces  characterizations  that  are  complete,  and  that 
the  algorithm  enumerates  these  characterizations. 
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1  Introduction 


The  Cryptographic  Protocol  Shapes  Analyzer  (cpsa)  is  a  program  for  au¬ 
tomatically  characterizing  the  possible  executions  of  a  protocol  compatible 
with  a  specified  partial  execution  [17].  The  purpose  of  this  document  is  to 
present  a  mathematically  rigorous  theory  that  backs  up  the  implementation 
of  CPSA  in  Haskell,  and  prove  the  algorithm  produces  characterizations  that 
are  complete,  and  that  the  algorithm  enumerates  these  characterizations. 

1.1  Previous  and  Related  Work 

CPSA  is  the  result  of  a  line  of  research  on  the  formal  analysis  of  security 
protocols,  typically  traced  to  seminal  work  of  Dolev  and  Yao  [12],  Formal 
analysis  of  security  protocols  treats  cryptographic  tools  such  as  encryption 
and  digital  signatures  as  abstractions,  and  thus  reduces  the  problem  of  an¬ 
alyzing  a  security  protocol  to  a  simpler  task.  Meadows  [16]  and  Lowe  [15] 
showed  that  automatic  tools  for  analysis  of  security  protocols  are  both  prac¬ 
tical  and  effective.  Numerous  tools  have  been  developed  since  for  automated 
protocol  analysis  [15,  4,  6,  5,  1,  21,  3,  2,  8,  13]. 

The  cryptographic  protocol  shapes  analyzer  is  unusual  among  these  tools 
because  it  aims  to  give  a  complete  characterization  of  possible  executions, 
independent  of  any  specific  security  property  to  confirm  or  contradict.  CPSA 
is  an  automated  tool  that  aims  at  complete  characterization,  and  works  with 
Strand  Space  theory  [20,  14],  Its  structure  is  described  in  [9,  11],  and  the  al¬ 
gorithm  is  more  fully  specified  in  [18].  However,  no  full  proof  of  the  algorithm 
has  been  given  until  now. 

It  is  worth  noting  a  few  of  the  similarities  and  differences  from  one  tool 
in  particular  named  Scyther  [8,  7],  created  by  Cas  Cremers.  We  highlight 
this  tool  due  to  its  close  similarity  to  CPSA.  Scyther’s  algorithm  is  based  on 
the  algorithm  used  in  Avispa  [1]  and  also  aims  to  produce  complete  char¬ 
acterizations  of  protocols.  It  is  also  based  on  the  theory  of  Strand  Spaces, 
although  its  semantics  is  not  quite  identical  to  that  of  CPSA.  Scyther’s  char¬ 
acterizations  are  sensitive  to  certain  types  of  adversarial  actions,  and  so  these 
actions  are  explicitly  included  in  the  output,  while  CPSA  focuses  solely  on  the 
projection  of  executions  onto  the  regular  participants.  This  difference  also 
manifests  itself  in  the  algorithms  used  by  the  two  tools.  In  choosing  to  have 
characterizations  that  are  insensitive  to  which  adversary  actions  are  used, 
CPSA  must  base  its  algorithm  on  so-called  “authentication  tests”  [10].  This 
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appears  to  add  noticeable  complexity  to  the  proof  of  completeness.  There 
has  been  no  systematic  comparison  of  these  tools  with  regard  to  their  per¬ 
formance  and  expressibility;  nor  have  there  been  any  studies  to  compare  the 
similarities  and  differences  between  the  characterizations  that  the  two  tools 
output. 

1.2  Document  structure 

In  sections  2,  3,  4,  and  5,  we  describe  the  formal  algebra  used  to  model  mes¬ 
sages  in  our  protocols  and  the  capabilities  of  the  adversary,  and  develop  some 
key  definitions  and  reasoning  that  support  the  algorithmic  design  of  CPSA. 
We  are  mainly  concerned  with  the  notion  of  derivability,  specifically,  given  a 
message,  can  the  adversary  derive  it  from  available  messages,  and  if  not,  why 
not?  The  main  result  of  importance  to  the  proof  is  the  development  of  the 
definitions  of  an  escape  set  and  a  critical  path,  and  the  relationship  between 
escape  sets,  critical  paths,  and  derivability,  which  we  prove  in  Theorem  4.11. 

In  sections  6,  and  7,  we  describe  our  mathematical  notion  of  a  protocol 
and  its  roles,  and  describe  skeletons ,  which  capture  our  idea  of  a  (possibly 
partial)  protocol  execution.  We  also  describe  homomorphisms ,  maps  from 
one  skeleton  to  another,  that  indicate  that  the  target  is  an  extension  of 
the  source  as  a  partial  execution.  This  makes  it  possible  for  us  to  describe 
coverage  and  to  formally  explain  the  goal  of  the  CPSA  algorithm. 

In  sections  8,  and  9,  we  give  a  mathematical  theory  of  operators  (trans¬ 
formative  operations  on  skeletons)  and  suites  in  order  to  define  the  cohort 
suite,  the  main  algorithmic  operation  of  CPSA.  We  also  define  the  overall 
algorithm  of  CPSA. 

In  sections  10,  11,  12,  and  13,  we  formally  state  and  prove  the  top-level 
theorems  about  CPSA  we  wish  to  establish:  Theorem  10.17,  which  proves 
that  CPSA  gives  a  complete  characterization  of  its  input,  and  Theorem  13.1, 
which  proves  that  our  algorithm  enumerates  normal  characterizations  of  any 
input. 
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2  Preliminaries 


2.1  Basic  Cryptoalgebra 

We  use  a  message  algebra  called  the  Basic  Cryptoalgebra  which  is  the  main 
algebra  used  by  CPSA. 


Sorts 

Sorts:  NAME,  TEXT,  DATA,  SKEY,  AKEY  <  MESG 

Base  sorts:  name,  text,  data,  skey,  akey 


Operations 


(1  •  h) 

MESG  X  MESG  — 

>  MESG 

Encryption 

(v) 

MESG  X  MESG  — 

►  MESG 

Pairing 

*(■) 

NAME  - 

->  AKEY 

Public  key  of  name 

(V1 

AKEY  - 

+  AKEY 

Inverse  of  key 

>tk(v) 

NAME  X  NAME  - 

->  SKEY 

Constants 

Tags 

MESG 

Tag  constants 

Equations 

(a  x)  1  =  a 

a:  AKEY 

The  base  sorts  are  pairwise  disjoint.  Given  a  set  X  of  generators  21  y  is  the 
free  cryptoalgebra  generated  by  X.  The  set  elements  of  sort  base  is  denoted 

23x. 

23  =  SIskey  U  SIakey  U  SIname  U  SItext  U  SIdata  (1) 

Elements  of  23  are  called  atoms  in  the  CPSA  Theory  paper.  The  set  03 
consists  of  those  terms  which  are  not  pairs,  not  encryptions,  not  variables  of 
sort  message  and  not  tags. 

End(2l)  is  the  set  of  homomorphisms  21  — >  21.  There  is  a  bijective 
correspondence  between  elements  of  End(2l)  and  mappings  X  — »  21.  If 
a  G  End(2l),  s-dom  a  is  the  set  of  variables  that  are  not  fixed  by  a. 

2.2  Path  Viewpoint 

A  position  tt  is  a  finite  sequence  of  whole  numbers.  We  write  to  indicate 
the  concatenation  of  sequences  tt  and  7 r'.  When  tt'  is  a  prefix  of  tt,  we  write 
(7 r  —  7r')  to  indicate  the  unique  sequence  tt"  such  that  tt'  ~  tt"  =  tt. 
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The  term  in  t  that  occurs  at  n,  written  t@  n,  is: 

t@{)  =  t; 

(ti,  t2)  @  (i)  ~  tt  =  ti  @  7T  for  i  G  {1,  2}; 

{|C|}t2  @  (i)  ~  n  =  ti  @  7T  for  i  G  {1,  2}; 

t~l  @  (1)  ~  TT  =  t  @  7T. 

All  references  to  terms  are  considered  in  21.  A  term  t  occurs  in  term  t'  if 
t  =  t!  @  p  for  some  p. 

We  consider  the  elements  of  21  as  a  directed  graph  with  labeled  nodes 
and  arrows;  t  —>  s  where  t,  s  G  21  if  and  only  if  t@  (a)  =  s,  where  a  G  {1, 2}. 
Given  a  term  t,  the  set  of  paths  p  from  t  is  denoted  by  Path(t). 

Remark  2.1.  A  position  n  determines  a  path  in  the  parse  tree  of  a  term  t. 
We  can  associate  to  each  path  from  t  a  position  tt  and  conversely  positions  n 
in  a  term  t  determines  a  path  from  t.  For  compatibility  with  CPSA  notation 
we  identify  a  path  p  from  t  with  a  pair  ( t ,  7r)  where  n  is  a  position  in  t.  For 
any  prefix  p  of  position  7r,  t  @  p  is  a  node  on  the  path.  We  will  use  similar 
terminology  for  paths  and  positions.  For  example,  a  prefix  of  a  path  {t,  n)  is 
a  path  [t,  p)  where  p  is  a  prefix  of  tt.  If  p  is  a  path  from  t ,  then  t  @  p  is  the 
endpoint  of  the  path  p.  the  free  algebra. 

1.  A  path  p  =  [t,  7 r)  traverses  a  term  a  if  t  @  p  —  a  for  some  proper  prefix 
p  of  7T.  As  a  particular  case  of  this,  note  that  any  non-null  path  from 
t  traverses  t. 

2.  A  path  p  =  (t,  tt)  terminates  at  a  if  t  @  n  —  a.  Alternative  phrases  are 
p  leads  from  t  to  a  or  a  is  an  endpoint  of  p. 

3.  A  path  p  visits  a  if  p  traverses  a  or  terminates  at  a. 

4.  A  path  p  =  (t,  n)  in  t  traverses  the  i-th  position  of  a  function  symbol 
/  of  arity  n  >  i  if  for  some  position  p,  t@  p  is  a  term  with  constructor 
/  and  p  ^  (i)  is  a  prefix  of  tt.  Cases  of  interest  are  plaintext  edges  and 
key  edges  of  encryptions  and  key  inverse. 

5.  A  path  p  is  carried  if  it  does  not  traverse  any  key  edge  or  any  inverse 
edge.  The  set  of  carried  paths  at  t  is  denoted  CarPath(t). 

6.  A  term  a  is  reachable  from  t  if  some  path  leads  from  t  to  a;  a  is  reachable 
by  a  carried  path  if  there  is  a  carried  path  that  leads  from  t  to  a.  In 
other  words,  a  occurs  in  t  if  it  is  reachable  from  t,  and  a  is  carried  by  t 
if  it  is  reachable  from  t  via  a  carried  path. 
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3  Upward  and  Downward  Closure 

Remarks  3.1  (Notational).  Destructuring  is  either  one  of  the  two  operations 
which  map  a  pair  (a,  b )  into  its  components.  If  a  is  a  term, 

{a~1  if  a  :  AKEY 

a  if  a  <£  Xmesg  (2) 

_L  otherwise. 

Decryption  with  a  key  u  is  the  operation  {|a|}u  i— *  a.  Encryption  with  a  key 
u  is  the  operation  a  i— >•  {|a|}u. 

It  is  convenient  to  separate  the  notion  of  available  terms  from  the  notion 
of  the  context,  which  is  a  set  of  keys  that  may  be  used  in  derivations.  We 
will  use  calligraphic  fonts  5  to  emphasize  that  a  set  of  terms  is  regarded  as 
a  context. 

Definition  3.2.  Suppose  S  is  a  set  of  terms  regarded  as  a  cryptographic 
context.  A  carried  path  p  is  5-decryptable  if  the  only  encryptions  that  p 
traverses  are  of  the  form  {|5|}u  where  inv(u )  G  S .  A  carried  path  p  is  5- 
encryptable  if  the  only  encryptions  p  traverses  are  of  the  form  {|&|}u  where 
ueS. 

An  5-decryptable  path  may  terminate  at  an  encryption  {|5|}n  with 
inv{u )  ^  S. 

Definition  3.3.  A  maximal  5-decryptable  carried  path  is  an  S-decryptable 
carried  path  p  which  is  not  a  proper  prefix  of  an  S-decryptable  carried  path. 
Completely  analogously,  we  can  define  a  maximal  5-encryptable  carried  path. 

Remark  3.4.  Clearly  an  5-decryptable  carried  path  p  is  maximal  (in  the  set 
of  5-decryptable  carried  paths)  if  and  only  if  it  terminates  at  an  encryption 
{|6|}.u  with  inv(u )  ^  5  or  terminates  at  a  term  which  is  not  an  encryption  and 
not  a  pair.  Similarly  an  5-encryptable  carried  path  p  is  maximal  (in  the  set 
of  5-encryptable  carried  paths)  if  and  only  if  it  terminates  at  an  encryption 
{\b\}u  with  u  S  or  terminates  at  a  term  which  is  not  an  encryption  and  not 
a  pair. 

Remark  3.5.  For  a  carried  path  p  from  t  exactly  one  of  the  following  alter¬ 
natives  must  hold: 

1.  p  is  a  maximal  5-decryptable  carried  path  from  t. 


7 


2.  A  proper  prefix  of  p  is  a  maximal  5-decryptable  carried  path  from  t. 
This  will  be  the  case  if  and  only  if  p  is  not  5-decryptable. 

3.  p  is  a  proper  prefix  of  a  maximal  5-decryptable  carried  path  from  t. 

There  is  a  corresponding  version  of  the  above  assertion  with  “d>-  decrypt  able' 
replaced  by  “<S-encryptable” . 

Remark  3.6.  The  maximal  5-decryptable  prefix  of  a  path  p  from  t  if  it  exists 
is  unique.  This  is  immediate  since  the  set  of  prefixes  of  p  is  totally  ordered. 
However  p  may  have  more  than  one  maximal  5-decryptable  extension.  The 
same  remark  holds  if  “<S-decryptable”  is  replaced  with  “5-encryptable” . 

Remark  3.7.  If  a  carried  path  p  terminates  at  a  term  c  such  that  c  is  either 
an  encryption  {j&|}u  with  inv{u )  ^  S  or  c  is  not  an  encryption  and  not  a  pair, 
then  p  has  no  proper  extensions  which  are  <S-decryptable  carried  paths.  In 
this  case  some  prefix  of  p  (possibly  ()  or  p  itself)  is  a  maximal  <S-decryptable 
carried  path  from  t.  In  the  other  direction,  if  p  is  an  <S-decryptable  carried 
path  that  has  no  proper  extensions  which  are  <S-decryptable  carried  paths, 
then  p  terminates  at  a  term  c  such  that  c  is  either  an  encryption  {|6|}u  with 
inv(u )  ^  S  or  c  is  not  an  encryption  and  not  a  pair.  Again  there  is  a  corre¬ 
sponding  statement  for  maximal  <S-encryptable  carried  path:  It  terminates 
at  a  term  c  such  that  c  is  either  an  encryption  {|6|}„  with  u  S  or  c  is  not 
an  encryption  and  not  a  pair. 

First  we  adapt  some  terminology  which  is  more-or-less  standard  in  the 
context  of  paths  and  graphs:  If  p  is  a  path,  t  a  term  and  L  a  set  of  terms  such 
that  p  visits  an  element  of  L ,  the  first  L-visit  prefix  of  p  at  t  is  the  minimal 
prefix  of  p  which  visits  an  element  of  L. 

Definition  3.8.  Given  a  set  L  of  terms,  the  depth  of  L  relative  to  a  term 
a,  denoted  depth(L,  S,  a),  is  the  supremum  over  all  maximal  S-encryptable 
carried  paths  p  from  a  of  the  length  of  the  first  L-visit  prefix  of  p.  By  conven¬ 
tion,  if  there  is  a  maximal  S-encryptable  carried  path  which  does  not  visit 
L,  then  depth(L,  S,  a)  =  +oo. 

A  set  L  is  an  S -support  for  a  if  depth(L,  S,  a)  <  oo.  Alternative  phrase: 
a  is  S -supported  by  L. 

Remark  3.9.  For  every  term  a,  {a}  is  an  5-support  of  a.  Clearly  a  is  S- 
supported  by  L  if  and  only  if  every  maximal  5-encryptable  carried  path 
visits  L. 


Definition  3.10.  Let  P  and  S  be  sets  of  terms,  where  we  regard  S  as  a 
context.  The  <S-downclosure  of  P  denoted  Cfi(P,  S)  consists  of  those  terms 
a  which  are  endpoints  of  an  S-decryptable  carried  path  beginning  at  some 
element  of  P.  The  <S-upclosure  of  P  denoted  Cb(P,  5)  consists  of  those 
terms  a  which  are  S  -supported  by  P. 

The  5-frontier  of  P  denoted  Fr(P,  S)  consists  of  those  terms  which  are 
endpoints  of  a  maximal  S-decryptable  carried  path  beginning  at  some  element 
ofP. 

Remark  3.11.  Taking  the  contrapositive  of  Definition  3.10,  a  (f  Cb(P,  S)  if 
and  only  if  there  is  no  5-decryptablc  carried  path  starting  at  an  element  of 
P  that  reaches  a. 

Equivalently, 

Lemma  3.12.  a  ^  C1J  (P,  S)  if  and  only  if  every  carried  path  from  an  element 
of  P  to  a  traverses  Fr(P,  S). 

Proof.  Suppose  a  f  C1J  (P,  S )  and  p  is  a  path  from  t  to  a.  By  Definition  3.10, 
p  is  not  5-decryptablc,  and  therefore  has  a  proper  prefix  q  which  is  maximal 
5-decryptable.  The  endpoint  eq  of  the  path  q  is  an  element  of  Fr(P,  S) 
and  clearly  p  traverses  eq.  Conversely,  if  a  G  Cfi(P,  S)  then  there  is  an  S- 
decryptablc  path  p  from  an  element  of  P  to  a.  Every  encryption  c  traversed 
by  p  is  5-decryptable  and  therefore  by  Remark  3.4,  no  such  c  can  be  the 
endpoint  of  a  maximal  5-decryptable  path  /rom  anywhere.  Therefore  no  such 
c  can  be  an  element  of  Fr(P,  S).  Thus  p  traverses  no  element  of  Fr(P,  5).  □ 

Remark  3.13.  In  other  words,  Lemma  3.12  asserts  that  a  fi  Ch  (P,  S)  if  and 
only  for  all  t  G  P,  a  is  carried  in  t  only  within  Fr(P,  S).  Some  elements  of 
Fr(P,  S)  may  not  carry  a  at  all. 

Remark  3.14.  By  Remark  3.4  any  element  in  Fr(P,  S)  is  either  an  encryption 
of  the  form  {|5|}u  with  inv{u )  ^  S  or  is  not  an  encryption  and  not  a  pair  or 
equivalently,  either  an  encryption  or  an  atom.  Every  element  of  Cfi  (P,  S)  is 
visited  by  an  5-decryptable  path  starting  at  some  element  of  P. 

The  frontier  has  a  boundary-like  property: 

Proposition  3.15.  IftE  C1J  (P,  S),  a  Cfi(P,  S)  and  p  is  a  path  from  t  to 
a  then  p  traverses  Fr(P,  S). 
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Figure  1:  Frontier 


Proof.  By  Definition  3.10,  there  is  an  iS-decryptable  path  r  from  some  ele¬ 
ment  of  P  to  t.  Now  consider  the  path  r  p.  Again  by  Dehnition  3.10,  r  ""  p 
is  not  5-decryptable.  Therefore  r  p  has  a  proper  maximal  iS-decryptable 
prefix  q.  ffowever  q  must  be  an  extension  of  r,  possibly  r  itself.  Moreover, 
the  endpoint  eq  of  q  is  an  element  of  the  frontier  Fr(P,  S)  and  an  element  of 
C1J(P,  S).  Since  r  "  p  is  a  path  from  an  element  of  P  to  a,  eq  is  an  element  of 
Fr(P,  S).  ft  follows  that  p  visits  eq  G  Fr(P,  S)  as  claimed  and  since  a  eq,  p 
traverses  eq.  □ 

3.1  Closure  Properties 

A  set  Z  of  terms  is  derivational  if  it  is  closed  under  pairing,  encryption  with 
a  key  u  such  that  u  G  Z,  destructuring  and  decryption  with  a  key  u  such  that 
inv(u)  G  Z.  The  smallest  derivational  set  containing  P  is  denoted  D(P). 

A  set  Z  of  terms  is  S- constructive  if  and  only  if  it  is  closed  under  pairing 
and  encryption  with  a  key  u  such  that  u  G  S.  A  set  Z  is  S -deconstructive 
if  and  only  if  it  is  closed  under  destructuring  and  decryption  with  a  key 
u  such  that  inv(u)  G  S.  A  set  Z  is  S -derivational  if  and  only  if  it  is  S- 
constructive  and  5-deconstructive.  The  smallest  S- derivational  set  contain¬ 
ing  P  is  D(P,  S). 

We  can  characterize  these  sets  in  terms  of  the  path  heuristic. 
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Figure  2:  Frontier  as  a  Boundary  (Proposition  3.15) 

Lemma  3.16.  A  set  Z  is  S -deconstructive  if  and  only  if  every  term  a  which 
is  the  endpoint  of  an  S-decryptable  carried  path  p  from  t  E  Z,  is  also  an 
element  of  Z . 

Proof.  Suppose  Z  is  S-deconstructive.  We  show  that  if  a  term  a  is  reachable 
from  t  E  Z  by  an  S-decryptable  carried  path  p,  then  a  E  Z.  We  use  induction 
on  the  length  of  the  path  p.  If  p  has  length  0,  then  p  —  ()  and  a  =  t  E  Z. 
Suppose  the  claim  is  true  for  all  carried  paths  of  length  n  and  p  has  length 
n  +  1.  Then  p  =  q  (a)  where  q  has  length  n.  q  is  an  <S-decryptable  carried 
path  and  therefore  by  the  induction  hypothesis  t  @  q  E  Z .  If  t  @  q  is  an 
encryption  {|6|}u,  then  by  the  assumption  p  is  S-decryptable,  inv(u )  E  S. 
Since  Z  is  S-deconstructive,  t@p  =  b  E  Z.  Ift@gisa  pair  (x,  y)  then  both 
x,y  E  Z  and  t  @p  is  either  x  or  y. 

Suppose  that  every  a  reachable  from  t  E  Z  by  an  S-decryptable  carried 
path  p  is  an  element  of  Z .  If  a  =  (x,  y)  then  x  and  y  are  reachable  from 
t  by  the  carried  paths  p  ~  (1),  p  (2)  and  therefore  x,y  E  Z.  If  a  =  {|&|}u 
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with  inv(u )  G  S,  then  p  ~  (1)  is  an  5-decryptable  path  so  b  G  Z.  Thus  Z  is 
iS-  deconstruct  ive .  □ 

There  is  an  analogous  statement,  Lemma  3.17,  for  5-constructive  sets, 
but  this  requires  the  notion  of  support. 

Lemma  3.17.  A  set  Z  is  S- constructive  if  and  only  if  every  term  t  which  is 
S-supported  by  Z  is  an  element  of  Z . 

Proof.  Suppose  Z  is  5-constructive.  We  show  that  for  every  integer  n  >  0, 
if  depth(Z,  S,  t )  <  n,  then  t  G  Z.  We  use  induction  on  n.  If  n  =  0,  then 
t  G  Z  and  {t}  is  an  5-support  set  for  t.  Suppose  the  assertion  holds  for  n  —  1 
and  depth(Z,  S,  t)  —  n  >  1.  In  particular,  t  is  either  a  pair  or  an  encryption. 
If  t  —  (. x ,  y)  then  depth(Z,  S,x)  <  n  —  1  and  similarly  for  y.  Thus  x  G  Z 
and  y  G  Z  by  the  induction  hypothesis.  Since  Z  is  5-constructive,  t  G  Z. 
If  t  =  {|6|}u  with  u  G  S,  then  depth(Z,  S,b)  <  n  —  1.  By  the  inductive 
hypothesis  b  G  Z.  Since  Z  is  5-constructive,  t  G  Z. 

Conversely,  if  every  t  which  is  5-supported  by  Z  is  an  element  of  Z  it  is 
straightforward  to  show  Z  is  constructive.  □ 

Corollary  3.18.  The  smallest  S- constructive  set  containing  P  is  the  set  of 
terms  t  which  are  S-supported  by  P. 

Proposition  3.19.  C T(P,S)  is  the  smallest  S-deconstructive  set  containing 

P. 

Proof.  Let  Z  be  the  smallest  S - deconstr uc t i ve  set  containing  P.  By 
Lemma  3.16,  Cf  (P,S)  is  5-deconstructive.  Since  Cb(P, S)  D  P,  it  fol¬ 
lows  that  Z  C  Cb  (P,  5).  Po  prove  the  converse,  by  definition  Z  is  S- 
deconstructive  and  so  by  Lemma  3.16  if  t  G  Z  and  p  is  an  5-decryptable 
carried  path  from  t  then  t@p  G  Z.  Since  P  C  Z,  it  follows  Z  D  CV  (P,  S).  □ 

Analogously,  applying  Lemma  3.17, 

Proposition  3.20.  Cb(P,  S)  is  the  smallest  S- constructive  set  containing 

P. 

Lemma  3.21.  If  Z  is  S-deconstructive,  then  C\\Z,  S)  is  S-deconstructive. 
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Figure  3:  CV(Z.S)  is  S-deconstructive  (Case  (2)) 

Proof.  By  Lemma  3.16,  it  suffices  to  show  that  the  endpoint  of  every  carried 
(S-decryptable  path  from  t  G  C\\Z, S)  is  also  in  Clr(Z, S).  Let  p  be  an  S- 
decryptablc  path  from  t  G  Clr(Z,  S)  with  endpoint  ep.  By  the  <S-encryptable 
version  of  Remark  3.5,  one  of  two  things  rnnst  hold  for  p :  (1)  there  is  a 
maximal  iS-encryptable  path  q  which  is  a  (not  necessarily  proper)  prefix  of 
p,  or  (2)  p  has  maximal  5-encryptable  proper  extensions.  Let  qi, ...  ,qi  be 
all  the  maximal  5-encryptable  extensions. 

Consider  case  (1).  By  Corollary  3.18  and  Proposition  3.20,  every  element 
of  Cl  '  (Z,  S )  is  5-supported  by  Z,  and  so  some  prefix  q'  of  q  terminates  in  an 
element  of  Z .  Thus  we  can  write  p  =  q'  q"  where  q"  is  an  5-decryptable 
path  from  an  element  of  Z  to  ep.  Since  Z  is  5-deconstrnctive,  ep  G  Cl ^ (Z,  S). 

In  case  (2),  we  can  write  <2*  =  p  ^  q[  for  each  1  <  i  <  i  where  each  q[  is 
a  maximal  5-encryptable  path  starting  at  ep.  Again,  since  C1^(Z,  S)  is  S- 
supported  by  Z ,  we  know  that  each  qi  visits  an  element  of  Z.  If  this  happens 
with  some  q'  which  is  a  prefix  of  p,  then  we  can  argne  as  we  did  in  case 
(1)  that  ep  must  be  in  C\\Z.  S).  Otherwise,  we  are  guaranteed  that  each  q'- 
visits  an  element  of  Z.  Since  these  g*  are  the  maximal  5-encryptable  paths 
of  ep,  we  know  ep  is  5-snpported  by  Z.  By  Lemma  3.17  ep  G  Clr(Z,  S).  □ 

The  previous  results  immediately  yield: 

Proposition  3.22.  D(P,S )  =  C1T(C1  l(P,S),S). 
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In  particular,  by  the  characterization  of  the  iS-upclosure  of  a  set  given  by 
Proposition  3.20: 

Corollary  3.23.  A  necessary  and  sufficient  condition  t  G  D(P,S)  is  that  t 
be  S-supported  by  some  subset  ofCf(P,S). 

Corollary  3.24.  A  necessary  and  sufficient  condition  t  G  D(P,S )  is  that 
every  maximal  S-encryptable  path  p  beginning  at  t  visit  some  element  of 
Cfi(P,cS). 

Proof.  Apply  Remark  3.9  and  Corollary  3.23.  □ 

Corollary  3.24  leads  to  the  notion  of  essential  obstruction  and  critical 
path  in  the  next  section. 

Proposition  3.25.  Suppose  t  G  D(P,S),  p  is  a  path  from  t  to  a  and  either 
(i)  a  =  {\b\}u  with  u  f  S  or  (ii)  a  is  not  an  encryption  and  not  a  pair.  Then 
either  p  traverses  Fr (P,S)  or  a  G  C  f(P,S). 

Proof.  Consider  case  (i):  Suppose  a  £  Cf(P.S).  Since  u  £  S,  by  Re¬ 
mark  3.7,  the  path  p  is  has  a  maximal  (S-encryptable  prefix  (possibly  p  it¬ 
self.)  By  Corollary  3.24,  that  prefix  must  visit  some  element  b  of  Cfi(P,  S); 
in  particular  p  visits  b.  Since  a  C1J  (P,  S),  it  is  in  fact  a  proper  prefix  q  of 
p  that  visits  b.  Let  r  be  the  remnant  of  p  after  q.  r  is  a  path  from  b  to  a.  By 
Proposition  3.15,  r  traverses  Fr(P,  «S). 

In  case  (ii)  the  argument  is  identical,  since  the  only  fact  used  was  that 
the  path  p  is  has  a  maximal  (S-encryptable  prefix.  □ 

4  Critical  Path 

Definition  4.1.  An  essential  obstruction  oft  relative  to  P,S  is  a  maximal 
S-encryptable  path  beginning  att  which  does  not  visit  an  element  ofCf(P,S). 

The  set  of  essential  obstructions  is  denoted  Eob(P,  S,t). 

Remark  4.2.  The  content  of  Corollary  3.24  is  that  t  G  D(P,S )  if  and  only  if 
Eob(P,S,t)  =  0. 

For  the  CPSA  search  algorithm,  in  particular  for  its  notion  of  “progress” 
the  set  of  essential  obstructions  is  too  small.  This  leads  to  the  notion  of 
critical  path. 
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Figure  4:  Essential  Obstruction 

Definition  4.3.  Let  p  G  CarPath(f)  have  endpoint  ep.  p  is  critical  relative 
to  P,S  if  and  only  (1)  ep  is  an  encryption  {|6|}u  with  u  S  or  an  element 
which  is  not  a  pair  and  not  an  encryption  (2)  ep  f  Cfi(P,  S)  mid  (3)  p  does 
not  visit  Fr(P,  S). 

The  set  of  critical  paths  is  denoted  CritPath(P,  S,  t). 

Proposition  4.4.  Let  p  G  CarPath(f)  have  endpoint  ep.  A  necessary  and 
sufficient  condition  for  p  to  be  critical  relative  to  P,S  is  that  (A)  ep  is  an 
encryption  {|5|}n  with  u  f  S  or  an  element  which  is  not  a  pair  and  not  an 
encryption,  (B)  p  does  not  visit  an  element  of  Cf(P,S). 

Proof.  Conditions  (1)  of  Definition  4.3  and  (A)  are  identical.  Now  suppose 
p  G  CarPath(f)  is  such  that  (1)  holds.  Then  properties  (2)  and  (3)  of  Def¬ 
inition  4.3  are  equivalent  to  (B):  In  one  direction,  suppose  (B)  holds,  that 
is,  p  does  not  visit  C1J  (P,  S).  Since  p  visits  ep ,  it  follows  that  ep  C1J  (P,  S) 
which  is  (2).  By  definition  Fr(P,  S)  C  C1*  (P,  B),  and  therefore  p  cannot  visit 
any  element  of  Fr(P,  S)  proving  (3).  In  the  other  direction,  suppose  (2)  and 
(3)  hold,  but  p  visits  a  G  C1J  (P,  S).  Now  a  ep,  for  otherwise  p  is  a  maximal 
5-encryptable  path  from  an  element  of  P  to  a  (by  Remark  3.7)  and  therefore 
ep  =  a  G  Fr(P,  S)  C  C1J  (P,  S)  which  contradicts  (2).  Otherwise,  let  q  be 
the  remnant  of  p  from  a.  By  the  boundary  property  of  Fr(P,  S)  (Proposi- 
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tion  3.15),  q  visits  an  element  of  Fr (P,  <S).  Therefore  p  visits  an  element  of 
Fr(P,  S)  which  contradicts  (3).  □ 


Remark  4.5.  Any  essential  obstruction  is  a  critical  path.  Proof:  By  the 
version  of  Remark  3.7  for  5-encryptable  paths,  any  essential  obstruction 
satisfies  (A)  of  Proposition  4.4.  (B)  is  part  of  the  definition  of  essential 

obstruction. 

Remark  4.6.  If  p  G  CritPath(P,  S,  t),  by  Remark  3.6  p  has  a  unique  maximal 
cS-encryptable  prefix  p{p).  Since  p  does  not  visit  Cfi(P,  S),  no  prefix  of  p 
can  visit  Cfi(P, 5).  In  particular,  p(p)  G  Eob(P, S.t).  Now  Eob(P, S,t)  C 
CritPath(P,  S,  t)  and  ji  is  the  identity  on  Eob(P,  S.t)  and  the  mapping  p  : 
CritPath(P,  S,  t)  — ■>  Eob(P,  S,  t)  is  the  identity  on  Eob(P,  S,t)- 

Proposition  4.7.  A  necessary  and  sufficient  condition  t  G  D(P,S )  is  that 

CritPath  (P,S,t)  =  0.  (3) 

Proof.  Consider  the  map  p  :  CritPath(P,  S,  t)  — >  Eob(P,  S,  t )  defined  in  Re¬ 
mark  4.6.  The  map  p  is  surjective  and  therefore  CritPath(P,  S,  t)  0  4=^ 
Eob(P,  S,t)  0.  The  result  now  follows  by  Remark  4.2.  □ 

Definition  4.8.  The  escape  set  of  a  relative  to  P.S,  denoted  Esc(P,  S,a)  is 
the  union  of  the  set  of  those  elements  o/Fr(P,  S)  which  carry  a  with  the  set 
{a}  if  a  G  Cfi(P,<S). 

Remark  4.9.  By  Remark  3.14,  every  element  of  Esc(P,  S,a)  other  than  a  is 
either  an  encryption  or  an  atom. 

Proposition  4.10.  If  p  G  CarPath(f)  with  endpoint  ep  and  p  G 
CritPath(P,  S,  t),  then  the  following  conditions  hold: 

1.  p  does  not  visit  Esc(P,  S,  ep). 

2.  Every  path  from  an  element  of  P  to  ep  visits  Esc (P,S,ep). 

3.  For  every  encryption  {|5|}«  G  Esc(P,  <S,  ep),  inv(u )  f  S. 

4 ■  If  ep  is  an  encryption  {|5|}u,  then  u  S . 
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Proof.  Suppose  p  G  CritPath(P,  S,  t).  By  Definition  4.3,  p  does  not 
visit  Fr(P,  5).  Moreover,  also  by  Definition  4.3,  ep  ^  Cb(P,  5).  Thus 
Esc (P,S,ep)  C  Fr(P,  S)  by  the  Definition  4.8  of  escape  set.  This  proves  (1). 
Since  ep  Cb(P,  5),  any  path  from  P  to  ep  must  traverse  some  element 
d  G  Fr(P,  S)  by  the  boundary  property  of  the  frontier  (Proposition  3.15).  d 
carries  ep  and  therefore  d  G  Esc(P,  S,ep).  This  proves  (2).  Property  (3)  is 
immediate  from  the  definition  of  frontier.  Finally  Property  (4)  follows  from 
the  definition  of  critical  path. 

□ 

Theorem  4.11.  Suppose  p  G  CarPath(f)  with  endpoint  ep  and  E  C  21  con¬ 
sists  of  encryptions  or  atoms.  If  p  ^  CritPath(P,  S,  t),  then  one  of  the  fol¬ 
lowing  conditions  holds: 

1.  p  visits  E. 

2.  There  is  a  path  from  an  element  of  P  to  ep  which  does  not  visit  E. 

3.  For  some  {|5|}„  G  E,  inv{u )  G  S . 

4-  ep  is  an  encryption  {|5|}u  with  u  G  S. 

Proof.  Since  p  ^  CritPath(P,  S,  t),  by  taking  the  contrapositive  of  Proposi¬ 
tion  4.4,  we  conclude  that  the  one  of  the  following  rnnst  hold: 

(A)  It  is  not  the  case  that  ep  is  an  encryption  of  the  form  {|5|}u  with  u  £  S 
and  ep  is  not  an  atom. 

(B)  p  visits  an  element  of  Cb(P,  S,t). 

Case  (A)  is  equivalent  to:  ep  is  an  encryption  of  the  form  {|5|}u  with 
u  G  S.  Thus  in  case  (A),  condition  (4)  of  the  Lemma  holds.  Thus  we  may 
henceforth  assume  that  (A)  fails  and  (B)  holds.  In  particular,  p  visits  an 
element  d  of  Cd  (P,  S,t).  Let  q  be  the  remnant  of  p  starting  at  d,  and  let  r 
be  an  5-decryptable  path  from  an  element  of  P  to  d.  In  this  case  one  of  the 
following  statements  holds: 

(a)  p  visits  E 

(b)  r  visits  E 

(c)  Neither  p  nor  r  visit  E 
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Figure  5:  Case  (B)  of  Lemma  5.6 


In  case  (a),  this  is  simply  Condition  (1)  of  the  lemma.  If  (a)  case  does  not 
hold  but  (b)  does  hold,  then  we  conclude  that  r  traverses  an  element  x  e  E, 
for  if  r  terminated  at  x,  then  p  would  visit  E  contrary  to  the  assumption  that 
(a)  does  not  hold.  By  hypothesis,  x  is  either  an  encryption  or  atom,  but  x 
cannot  be  an  atom  since  no  path  can  traverse  an  atom.  Thus  x  is  of  the  form 
{|c|}„.  Since  r  is  S-decryptable,  inv(v)  G  S,  thereby  meeting  Condition  (3) 
of  the  lemma.  In  case  (c),  the  carried  path  r^  q  is  a  path  from  P  to  ep  which 
does  not  visit  E,  thereby  satisfying  Condition  (2)  of  the  lemma.  □ 

5  Fragments 

So  far  we  have  considered  derivability  in  the  basic  cryptoalgebra  setting.  This 
section  introduces  a  further  refinement  in  which  the  available  messages  and 
the  context  are  determined  by  other  considerations  which  occur  naturally  in 
the  setting  of  a  protocol  execution.  In  the  section  on  the  adversary  model, 
it  is  explained  why  the  penetrator  cannot  use  terms  in  the  what  is  called  the 
exclusion  set.  Recall  that  53  =  21skeyU21akeyU21nameU21textU21data 
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Definition  5.1.  A  fragment  consists  of  a  tuple  F  =  (T,  X,  a)  where  X  C  03 
and  a  is  a  term.  The  X  in  a  fragment  is  called  the  exclusion  set.  The  set  of 
public  messages  at  F  is 

Pt  =  T  U  (03  \  X)  U  A'mesg  U  Tags  .  (4) 

The  encryption  context  at  X  is  S =  D(P^).  If  F  is  an  fragment,  T?,  X?, 
and  a^r  are  the  components  of  F . 

Definition  5.2.  The  critical  paths et  of  a  fragment  F  is  the  set  CritPath(jF)  = 
CritPath(Pjr,  Sp,  a j?) .  The  critical  pathset  at  IF  is  denoted  CritPath(jF) .  The 
escape  set  of  a  term  a  in  F  is  Esc(JP,  a)  =  Esc(Pjr,  a).  Similar  conven¬ 
tions  apply  to  the  sets  CP,  CP, 

Remark  5.3.  By  virtue  of  (4),  Xmesg  U  Tags  C  CP  (F). 

In  the  intended  interpretation  of  a  fragment  for  skeletons,  U  corresponds 
to  the  declared  uniquely  originating  atoms  which  actually  originate  in  A. 

Definition  5.4.  If  F  =  (' T,X,a ),  Fl  =  ( T',X',a ')  are  fragments,  a  homo¬ 
morphism  a  :  F  — >  F'  is  an  algebra  homomorphism  such  that  a(T )  C  T' , 
cr(X)  C  X' ,  and  a(a)  =  a'. 

We  now  consider  possible  ways  of  resolving  a  critical  path. 

Definition  5.5  (Critical  Path  Solved).  Suppose  F ,  F '  are  fragments  and  p 
is  a  critical  path  with  endpoint  ep  of  the  term  a ?  at  F .  Let  a  :  21  — >  21  be  an 
algebra  homomorphism.  Let  E’  =  cr(Esc(Pr,  ep)),  p'  =  cr(p)  and  e'p  =  a(ep). 

Path  p  from  is  solved  in  F'  by  a,  if  and  only  if  one  of  the  following 
conditions  holds: 

•  Soil,  p'  visits  E' . 

•  Sol2.  There  is  a  carried  path  from  an  element  of  Tjr,  to  e'p  which  does 
not  visit  E' . 

•  SolS.  For  some  {|5|}u  G  E' ,  inv(u )  G  . 

•  Solf.  e'p  =  {|5|}„,  and  u  G  Sjy. 

Let  Solved(jF, p)  =  {(u,  F')  :  a  is  a  homomorphism  21  — *  21.  and  a  solves  p  in  F'  } 
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In  words,  CPS  A  makes  progress  by  a  contraction  (Item  1),  where  mes¬ 
sages  are  identified,  an  augmentation  (Item  2),  where  something  is  added  to 
the  escape  set,  or  a  listener  augmentation  (Item  3  and  Item  4),  where  an 
assumption  about  the  lack  of  the  derivability  of  a  key  is  shown  to  be  invalid. 

Lemma  5.6.  Suppose  F ,  F'  are  fragments  and  21  — >  21  is  an  algebra  homo¬ 
morphism.  If  p  G  CritPath(jT)  and  a(p)  ^  CritPath(jF/),  then  a  solves  p  in 

r. 

Proof.  Let  ep  be  the  endpoint  of  p.  By  Proposition  4.4,  ep  is  either  (a)  an 
encryption  of  the  form  {|  £>|}^  with  u  (f  S ?  or  (b)  not  a  pair  and  not  an 
encryption.  The  only  possibility  for  ep  in  case  (b)  is  ep  G  23:  For  by  clause 
(B)  of  Proposition  4.4  ep  f  Cb(.F)  and  variables  Xmesg  or  Tags  are  in 
Cb  {IF)  by  Remark  5.3.  Now  by  Remark  4.9  all  elements  of  Esc(JF,  ep )  other 
than  ep  are  either  encryptions  or  atoms.  Therefore  all  elements  of  Esc(JF,  ep ) 
are  either  encryptions  or  atoms. 

Let  E'  =  o‘(Esc(br,  ep)),  p'  =  cr(p)  and  ep  =  cr(ep).  By  the  last  statement 
of  the  previous  paragraph,  all  elements  of  E'  are  encryptions  or  atoms.  Now 
apply  Theorem  4.11.  □ 

When  dealing  with  instantiating  variables  of  sort  MESG  while  inferring 
additional  honest  behavior,  CPSA  uses  the  notion  of  the  set  of  “target  terms,” 
to  keeps  its  behavior  finite.  First  the  set  of  threshold  terms  between  a  term 
a  and  a  set  of  terms  S: 

Thi^S1,  a)  =  {a}U{f  |  t  carries  a,  t  is  a  proper  carried  subterm  of  some  s  G  S} 

Note  that  a  is  always  a  threshold  term  regardless  of  whether  a  is  carried 
within  some  element  of  a. 

Definition  5.7  (Target  terms).  The  set  of  target  terms  for  a  critical  path  p 
with  endpoint  t  in  a  fragment  F  is  the  set  Thr(Esc(^r,  t),  t). 

Definition  5.8  (Critical  Path  Weakly  Solved).  Suppose  IF,  F'  are  fragments 
and  p  is  a  critical  path  with  endpoint  ep  of  the  term  a?r  at  IF .  Let  a  :  21  — >  21 
be  an  algebra  homomorphism.  Let  E'  =  cr(Esc(jF,  ep)),  p'  =  cr(p)  and  e'p  = 
a(ep).  Path  p  from  a ?  is  weakly  solved  in  F'  by  a,  if  and  only  if  p  is  solved 
in  F'  by  a,  or  if 

•  Sol5.  There  is  an  element  of  Taig(Esc(F' ,  e'p),  ep))  not  in  <r(Targ(E,  ep)). 

The  notion  of  a  path  being  weakly  solved  is  needed  later  in  the  proof  of 
completeness.  Sol5  represents  a  very  weak  form  of  progress,  where  we  have 
only  improved  our  set  of  target  terms. 
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6  Protocols 


A  run  of  a  protocol  is  viewed  as  an  exchange  of  messages  by  a  finite  set  of 
local  sessions  of  the  protocol. 

An  event  is  either  a  message  transmission  or  a  reception.  If  m  is  a  mes¬ 
sage,  an  outbound  message  event  is  written  as  +m,  and  inbound  message 
event  is  written  as  —m.  By  abuse  of  language,  if  e  is  an  event  we  will  write 
— e  to  signify  that  e  is  an  inbound  event  and  similarly  for  outbound  events. 
A  trace  in  21  is  a  sequence  (ei, . . . ,  en)  of  message  events.  The  set  of  traces 
over  21  is  denoted  A  restriction  of  a  trace  r  =  (ei, . . . ,  en)  is  any  trace 
t'  —  (e i, . . . ,  efc)  for  1  <  k  <  n.  We  will  also  use  the  phrase  t  is  an  extension 
of  t'  and  the  notation  t'  =  r\k.  Endomorphisms  a  €  End(2l)  act  on  message 
events  and  traces:  cr(±m)  =  ±cr(m)  and  cr(ei, . . . ,  en)  =  (cr(e i), . . . ,  a(en)). 

Traces  of  the  form  (— m,  +m)  where  me  21  are  referred  to  as  listener 
traces.  The  special  trace  (— x,  +x)  where  a;  is  a  variable  of  sort  message 
matches  any  listener  trace. 


occurs  in 


carried  within 


Figure  6:  Originates,  Gained,  Acquired 

Let  t  be  a  trace,  m  a  message,  m  originates  in  t  if  it  is  carried  by  some 
event  on  t  and  the  Erst  event  on  t  in  which  it  is  carried  is  a  transmission,  m  is 
gained  by  t  if  it  is  carried  by  some  event  t  and  the  Erst  event  on  t  in  which  it 
is  carried  is  a  reception;  however,  this  condition  allows  for  prior  occurrences 
of  the  message  m.  m  is  acquired  by  t  if  it  first  occurs  on  t  in  a  reception 
event  and  is  also  carried  by  that  event. 
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6.1  Roles  and  Protocols 

In  a  run  of  a  protocol,  the  behavior  of  each  strand  is  constrained,  in  a  sense 
made  precise  below,  by  a  composite  structure  called  a  role.  A  protorole 
over  a  cryptoalgebra  21  with  atoms  23  is  a  structure  p  =  ( C,N,U ),  where 
C  G  £oi,  A"  C  23,  and  17  C  23.  The  trace  of  the  role  p  is  C,  its  non-origination 
assumptions  are  N ,  and  its  unique  origination  assumptions  are  U.  In  case  of 
ambiguity,  the  components  of  p  are  denoted  (Cp,  Np,  Up). 

Definition  6.1.  A  protorole  p  =  (C,N,U)  is  a  role  if 

1.  t  G  N  implies  t  is  not  carried  in  C ,  and  all  variables  in  N  occur  in  C. 

2.  t  G  U  implies  t  originates  in  C . 

3.  If  a  variable  x  occurs  in  C  then  x  is  an  atom  or  it  is  acquired  in  C . 

Equivalently,  condition  (3)  states  that  a  variable  x  of  sort  MESG  occurs  in  C 
only  if  it  is  acquired  in  C. 

A  listener  trace  is  any  trace  of  the  form  (— m,  +m)  where  m  is  of  sort 
MESG. 

Remark  6.2.  Any  role  p  whose  trace  is  (—x,  +x),  x  a  variable  of  sort  MESG, 
must  have  Np  =  Up  =  0.  However  if  a  role  is  of  the  form  (— m,  +m)  where 
m  is  not  a  variable  of  sort  MESG,  then  Np  may  be  non-empty.  For  example 
( — +{M}«)  where  u  G  SKEY.  However,  it  is  always  the  case  that  U p  =  0, 
since  nothing  originates  on  a  listener  trace. 

A  listener  role  is  one  of  the  form 

Isn  —  ({-x,  -he),  0,  0).  (5) 

where  x  is  a  variable  of  sort  MESG.  This  is  a  legitimate  role:  (1)  and  (2)  are 
vacuous  and  the  variable  x  is  acquired  in  the  trace. 

We  introduce  a  pseudorole  £,  not  a  role,  which  is  used  as  a  special  anno¬ 
tation  for  roles  of  auxiliary  traces  introduced  by  the  CPSA  search  algorithm. 
This  artifice  allows  us  to  distinguish  between  genuine  protocol  roles  which 
may  behave  like  listener  roles  and  the  roles  of  these  auxiliary  traces.  However 
£  is  associated  to  the  listener  trace  defined  previously  and  accordingly  we 
introduce  the  following  (somewhat  abusive)  notation: 

•  C'£  is  the  listener  trace  (—x,  +x)  where  a;  is  a  variable  of  sort  MESG. 
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U£  =  N£  =  0. 


Essentially  a  trace  is  constrained  by  a  role  if  it  agrees  with  an  instance  of 
the  role  restricted  np  to  the  length  of  the  trace.  The  term  we  will  actually 
use  is  role  specification  which  completely  determines  the  trace. 

Definition  6.3.  A  role  specification  for  a  trace  t  is  a  structure  (p,  a)  where 
a  G  End  (21)  and  either  (a)  p  is  a  role  or  (b)  p  is  the  pseudorole  £,  and  the 
following  holds 

1.  t  is  a  restriction  of  a (Cp)  and 

2.  s-dom  a  is  the  set  of  variables  that  occur  in  the  trace  Cp  |  len  0(s)r. 

Remark  6.4.  Condition  (2)  means  that  the  substitution  a  transforms  pre¬ 
cisely  those  variables  that  occur  within  the  role  up  to  the  height  of  the 
strand. 

Note  that  the  definition  of  role  specification  (p,  a)  for  a  trace  r  does  not 
involve  origination  assumptions.  However,  the  origination  assumptions  of  p 
are  transported  onto  r  by  the  substitution  a.  First  some  notation.  Given  a 
a  G  End  (21)  and  E  C  21,  [a]*E  is  the  set 

{(y(t)  :  t  G  E,  Vars(f)  C  s-dom(cr)}. 

Definition  6.5.  Suppose  t  is  a  trace  and  (p,  a)  is  a  role  specification  for  r. 
The  origination  assumptions  inherited  by  r  via  (p,  a)  are 

N(p,<r)  =  Wl*NPi 


and 


CrU, 5, 

where  Us  are  the  elements  of  Up  that  originate  on  before  the  event  at  position 
lenr  on  the  role  strand  Cp. 


Remark  6.6.  Since  N£  =  U£  =  $,  there  are  no  inherited  origination  assump¬ 
tions  for  strands  with  specification  £. 

A  protocol  is  a  set  of  roles.  Let  Vars(P)  be  the  set  of  variables  that  occur 
in  the  traces  of  the  roles  in  protocol  P. 
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7  Skeletons 


Fix  a  protocol  P  for  the  remainder  of  the  paper.  The  details  of  penetrator 
behavior  are  abstracted  away  when  performing  protocol  analysis.  The  ab¬ 
stracted  description  is  called  a  realized  skeleton.  To  define  this  and  as  an 
essential  tool  of  analysis  we  introduce  structures  with  increasing  specificity. 
In  the  following  21  denotes  a  cryptoalgebra. 

We  begin  with  a  general  notion  which  formalizes  a  notion  of  collection 
of  “locally  linearly  ordered”  communication  events.  A  node  space  is  a  pair 
(/,  0)  where  0  is  a  map  from  /  to  the  set  of  traces  over  21.  Associated  to  a 
node  space  A  =  (/,  0)  are  the  following  objects:  The  nodes  of  A  is  the  set 
of  pairs  (s,i)  where  s  E  I  and  i  <  lcn@(s).  By  abuse  of  notation  we  write 
(s,  i)  E  A  to  indicate  that  (s,  i)  is  a  node  of  A.  The  elements  of  the  index  set 
/  are  the  strands  of  the  node  space.  Nodes  ( s,i )  and  ( s',j )  are  on  the  same 
strand  if  s  =  s'.  The  set  of  variables  occurring  in  the  traces  of  A  is  denoted 
Vars(A).  If  the  variables  in  Vars(A)  are  all  of  base  sort,  the  node  space  is 
instantiated.  For  any  t  E  21,  Oa  (t)  is  the  set  of  nodes  at  which  t  originates 
in  A,  G&(t)  is  the  set  of  nodes  at  which  t  is  gained  in  A,  and  CA(t)  is  the  set 
of  nodes  at  which  t  is  carried  in  A.  A  strand  is  a  node  space  consisting  of  a 
single  strand. 

There  is  no  intrinsic  association  between  a  node  space  A  and  a  protocol 
P.  However,  we  can  establish  such  an  association  by  requiring  that  each 
strand  of  A  be  constrained  by  some  specified  role.  Before  stating  this  condi¬ 
tion,  we  state  the  blanket  variable  hygiene  condition  for  protoskeletons  and 
protocols  which  we  will  assume  throughout:  Vars(P)  U  Vars(/sn)  is  disjoint 
from  Vars(@). 

A  P-role  assignment  for  a  node  space  A  is  a  mapping  A  which  associates 
to  each  strand  s  E  I  a  P-role  specification  *4.(s)  =  (ps,as). 

Remark  7.1.  By  the  variable  hygiene  requirement,  Vars(P)  and  Vars(@)  are 
disjoint.  The  substitution  crs  must  affect  every  variable  that  occurs  within 
the  role  up  to  the  height  of  the  strand. 

A  node  space  may  have  no  P-rolc  assignments  or  it  may  have  more  than 
one  role  assignment. 

Given  a  node  space  A  and  a  role  assignment  A  for  A,  the  origination 
assumptions  inherited  by  A  from  P  via  A  are 

NA  =  UNA(s),  Ua  =  \Jua{s). 

s£l  s£l 
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The  sets  N  and  U  are  the  declared  non-origination  terms  and  uniquely  orig¬ 
inating  terms  of  A. 

Definition  7.2.  Suppose  P  is  a  protocol.  A  protoskeleton  for  P  is  a  structure 
A  =  (/,  0,  -<,  N,  U),  where  (/,  0)  is  a  node  space,  N  C  iB,  U  C  and  -<  is 
a  relation  on  the  nodes  of  A  such  that  there  is  a  role  assignment  A  with  the 
following  properties: 

1.  na  c  n. 

2.  UA  C  U. 

The  role  assignment  A  in  Definition  1.2  is  a  protoskeleton  validating  role 
assignment.  In  contexts  where  the  protocol  is  understood,  we  simply  refer  to 
a  proto  skeleton  for  P  as  a  proto  skeleton.  If  A  is  a  protoskeleton,  7a. ©a?  ~<a, 
Na,  Ua  are  the  components  of  A. 

Protoskeleton  validating  role  assignments  for  a  structure  A  =  (/,©,-<, 
N,  U )  can  be  mixed: 

Remark  7.3.  Note  that  in  general,  a  P-role  specification  (p,cr)  for  a  strand 
need  not  respect  points  of  origination,  that  is  if  t  originates  at  position  i  on 
Cp\n,  aft)  may  originate  at  some  earlier  node  on  a(Cp)\n.  However,  condi¬ 
tion  (5)  of  Definition  7.2  states  that  a  protoskeleton  must  have  at  least  one 
P-role  assignment  such  that  all  role  specifications  are  origination  preserving. 

Definition  7.4  (Protomorphism).  Let  A,  B  be  protoskeletons.  A  protomor¬ 
phism  from  A  to  B  is  a  pair  A  =  (93,  a)  where  p  maps  nodes  of  A  to  nodes 
of  B  and  a  G  End(2l)  is  such  that: 

1.  There  exists  a  map  ipstr  :  IA  —■ ►  In  such  that  for  all  ( s,i )  G  A,  (p(s,i)  = 

(^str('S))  i)  ■ 

2.  n  G  nodes ( A)  implies  a(evt(n ))  =  evt((p(n)). 

3.  <t(ATa)  C  7Vb; 

4 ■  *(UA)  T  Um 

Remark  7.5.  The  mapping  ipstr  is  called  the  strand  mapping.  The  strand 
mapping  is  unique.  By  abuse  of  notation,  in  most  contexts  we  will  use  ip  to 
denote  the  strand  mapping. 
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Figure  7:  Protomorphism  of  Protoskeletons 

We  write  A  ---»  B  when  A  is  protomorphism. 

Definition  7.6  (Structure-preserving).  A  protomorphism  A  B  is 

structure-preserving  if  n0  -<a  implies  (p(no)  -<b  <p(ni). 

Clearly  the  composition  of  structure-preserving  protomorphisms  is  a 
structure-preserving  protomorphism. 

Definition  7.7  (Point  of  origination  preserving  morphisms).  A  protomor¬ 
phism  A  B  preserves  points  of  origination  if  ip(0^(t))  C  0®(cr(t))  for  all 
t  G  C/a- 

Definition  7.8  (Homomorphism).  A  protomorphism  A  --->  1  is  a  homo¬ 
morphism  if  it  is  structure-preserving  and  preserves  points  of  origination. 

Definition  7.8  allows  the  image  of  an  atom  in  C/&  to  originate  at  more 
than  one  point. 

We  write  A  B  when  A  is  a  homomorphism.  We  use  Protom(A,  B)  to 
denote  the  set  of  all  protomorphisms  from  A  to  B,  and  Hom(A,  B)  to  denote 
the  set  of  all  homomorphisms  from  A  to  B. 

Proposition  7.9.  The  composition  of  homomorphisms  between  protoskele¬ 
tons  is  a  homomorphism. 
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Proof.  Suppose  A  ^-0,a-\  B, B  — 1,CT_\  c  are  homomorphisms.  For  each  t  G 
Ua,  croft)  G  Um  by  Property  (4)  of  protomorphisms  and  thus  by  the  definition 
of  homomorphism, 

Ai(Ao(Oa(£)))  C  ^i(ObKW))  Q  OC(Ti((r0(t)) 


□ 

Given  a  protoskeleton  A  =  (/,  0,  -<,  iV,  U)  and  a  receiving  node  n  of  A, 
we  can  define  a  fragment  JF&.n  =  (T,  U,  N,  a)  where  —a  =  evtfn )  and  where 

T  —  {t  |  3n'  G  A,  n  -<  n  and  evtfn ')  =  +£}. 

We  write  Pa,h  to  refer  to  PrKn- 

Protoskeletons  and  protomorphisms  form  a  category  as  well  as  protoskele¬ 
tons  and  homomorphisms. 

7.1  Preskeletons 

We  now  consider  two  additional  subcategories  of  the  protoskeleton  categories. 
These  categories  will  be  full  sub  categories.  Accordingly,  when  we  refer  to  a 
protomorphism  or  homomorphism  we  will  always  regard  it  as  a  pair  cr). 

Definition  7.10.  A  protoskeleton  A  =  (/,  0,  -<,  N,  U)  for  a  protocol  P  is  a 
preskeleton  if 

1.  Relation  -<  is  transitive,  asymmetric,  and  includes  the  strand  succession 
relation:  ( s ,  i )  =>■  (s,  i  +  1)  for  all  (s,  i  +  1)  G  A. 

2.  If  s  ^  s'  and  ( s,i )  -<  (s’,j)  then  either  evt(s,i )  =  +e  and  evt(s',j )  = 
—e!,  or  there  exists  a  node  n  such  that  ( s,i )  -<  n  -< 

3.  Each  atom  in  N  is  carried  at  no  node  of  A,  and  each  variable  in  the 
atom  occurs  at  some  node  of  A. 

4-  Each  atom  in  U  is  carried  at  some  node  of  A. 

5.  If  s  is  any  strand  such  that  ps  G  P,  and  t  G  UPs  such  that  t  originates 
in  CPs  \  len©(s)  at  event  i,  then  aft )  originates  in  Q(s)  at  ( s,i ). 
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Figure  8:  One  Case  of  Intermediate  Node  Condition:  (2)  of  Definition  7.10. 
Two  remaining  cases:  — e,  —e'  and  — e,  +e'. 


Protoskeleton  Preskeleton  Skeleton 

Has  valid  role  assignment 

Inherited  origination  nodes 
-<  is  a  strict  partial  order 
Origination  assumptions  satisfied 

•  •  • 

•  •  • 

•  • 

• 

Figure  9:  Salient  differences  between  Proto,  Pre  and  Proper  Skeletons 

Definition  7.11.  A  preskeleton  A  =  (/,  O,  N,  U)  for  P  is  a  skeleton 
for  P  if  each  atom  in  U  originates  on  exactly  one  strand,  and  the  node  of 
origination  precedes  each  other  node  that  carries  the  atom,  i.  e.  for  every  t  G 
U ,  n0  G  0&(t)  and  n\  G  ^  n0  implies  n0  -<  n\. 

In  contexts  where  the  protocol  is  understood,  we  simply  refer  to  a  skeleton 
for  P  as  a  skeleton. 

We  use  PSkel(P),  PreSkel(P)  and  Skel(P)  to  denote  the  collections  of 
valid  protoskeletons  for  P,  valid  preskeletons  for  P,  and  valid  skeletons  for 
P,  respectively.  Since  the  protocol  P  is  fixed  for  the  remainder  of  the  paper, 
the  argument  P  will  be  mostly  omitted. 


7.2  Hierarchies  and  Commitments 

In  this  section  we  fix  a  protocol  P.  To  analyse  the  CPSA  algorithm,  we 
need  to  introduce  additional  structure  on  the  basic  protoskeleton  category. 


A  protoskeleton  refinement  category  is  a  category  C  and  a  functor  F  :  C 
PSkcl. 


7.2.1  Assignment  Committed  Protoskeletons 

A  pair  (A,  A)  consisting  of  a  protoskeleton  A  and  a  P-role  assignment  A  is 
an  assignment  committed  protoskeleton.  To  make  this  class  of  objects  into  a 
category,  we  first  consider  the  behavior  of  role  assignments  under  morphisms. 
There  is  no  universally  applicable  way  that  role  assignments  can  be  regarded 
as  transforming  either  covariantly,  that  is  pushing  the  assignments  forward 
under  morphisms  or  contravariantly,  pulling  them  back.  We  can  however 
regard  them  as  transforming  covariantly  in  a  weaker  sense.  Suppose  A,  IB 
are  node  spaces,  A  =  (p,  a)  :  A  — >  B  is  a  homomorphism  of  node  spaces.  If 

A  =  {(pf,of) :  S  e  4}, 

are  role  assignments  for  A,  B  respectively  such  that  for  all  s  G  I  a,  P^s\  =  pf 
then  the  role  assignment  B  is  a  pushforward  of  A  wider  A.  Thus  instead  of 
being  a  function,  “pushforward”  is  a  relation  between  role  assignments. 

Remark  7.12.  The  definition  of  pushforward  under  A  =  (p>,  a)  says  nothing 
about  the  substitutions  aA  and  aB.  However  in  the  basic  cryptoalgebra, 

a  o  aA(v)  =  <jb(v)  (6) 

for  all  variables  v  which  occur  in  CPs  |  len@(s). 

Definition  7.13  (Assignment-preserving).  A  protomorphism  A  --->  B  is  a 
protomorphism  of  assignment-committed  protoskeletons  (A,  Aa)  — >  (B,  Ae) 
if  the  role  assignment  Am  is  a  pushforward  of  the  role  assignment  Aa  under 

Remark  7.14.  It  follows  immediately  from  the  definitions  that 

F.^  :  (A,  A)  1 — ■>  A 

maps  the  class  of  assignment  committed  protoskcletons  onto  the  class  of 
protoskcletons.  Any  assignment-preserving  protomorphism  is  a  protomor¬ 
phism,  so  F,^  can  be  considered  a  functor  from  the  category  of  assignment- 
committed  protoskeletons  to  protoskeletons. 

We  denote  the  category  of  assignment-committed  protoskeletons  by  PSkel. 
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7.2.2  Listener  Committed  Protoskeletons 

Remark  7.15.  The  definition  of  protocol  P  allows  for  roles  p  such  that  the 
trace  Cp  is  a  listener  strand.  However,  to  conform  to  the  established  usage 
in  the  CPSA  specification  we  will  use  the  term  listener  to  refer  to  a  strand 
which  is  specified  by  the  listener  pseudorole.  Accordingly  the  listener  set  of 
a  role  assignment  A  is 

L(A)  =  {s  e  IA  :  3a  *4(s)  =  (£,  u)}.  (7) 

By  extension,  we  will  also  call  this  set  the  listeners  of  an  assignment  commit¬ 
ted  protoskeleton  (A,  A).  Let  A  be  a  protoskeleton  for  protocol  P.  A  valid 
set  of  listeners  for  A  is  a  set  of  strands  L  C  JA  of  the  form  L(A)  for  some 
role  assignment  A.  The  protoskeleton  A  may  contain  listener  strands  not  in 
L(A)  if  the  protocol  P  has  listener  roles. 

A  listener  committed  protoskeleton  is  a  pair  (A,  LA)  where  LA  is  a  valid 
set  of  listeners  for  A. 

(£>,(7 

Definition  7.16  (Listener-respecting).  A  --->  B  is  a  protomorphism  of 
listener-committed  protoskeletons  from  (A,  LA)  to  (B,  Lb)  if  for  every  strand 
s  G  A,  s  ^  La  implies  <p(s)  ^  Lb. 

We  write  A°  B°  and  A°  B°  to  denote  that  (p,  a)  is  a  pro¬ 
tomorphism  (respectively  homomorphism)  of  listener-committed  protoskele¬ 
tons  from  A°  to  B°. 

Remark  7.17.  Similarly,  there  is  a  well-defined  functor  F0^  from  listener 
committed  protoskeletons  to  protoskeletons  which  simply  forgets  the  listener 
set.  Clearly 

F.->  =  F0^  o  F._>0.  (8) 

Since  F.^  is  surjective  (Remark  7.14)  F0^  is  surjective. 

Remark  7.18.  It  follows  immediately  from  the  definitions  that 

F.^0  :  (A,  A)  ^  (A,  L(A)) 

maps  the  class  of  assignment  committed  protoskeletons  onto  the  class  of  lis¬ 
tener  committed  protoskeletons.  If  (p,  a)  is  a  protomorphism  of  assignment- 
committed  protoskeletons,  then  (</?,  cr)is  also  a  protomorphism  of  the  corre¬ 
sponding  listener-committed  protoskeletons.  Thus  we  can  consider  F._>0  as 
a  functor. 
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Definition  7.19.  A  protomorphism  A°  --->  B°  is  assignment-consistent  if 
there  exist  role  assignments  A*  =  (A,  ,4a),  B*  =  (B,  ,4b)  such  that  (1)  A°  is 
the  listener- committed  version  of  A  determined  by  A*  ,  (2)  B°  is  the  listener- 
committed  version  of  B  determined  by  B*  ,  and  A  is  a  protomorphism  of 
assignment-committed  proto  skeletons  from  A*  to  B* . 

Remark  7.20.  A°  — ■»  B°  is  assignment-consistent  if  and  only  if  it  is  of  the 
form  F.^o(A*)  for  some  A*  --->  B*. 

7.3  Diagrams 

We  use  PSkel*  (P),  PreSkel*  (P)  and  Skel*(P)  to  denote  the  collections  of 
assignment  committed  protoskeletons  for  P,  assignment  committed  preskele¬ 
tons  for  P,  and  assignment  committed  skeletons  for  P,  respectively.  PSkel°(P), 
PreSkel°(P)  and  Skel°(P)  denote  the  collections  of  listener  committed  pro- 
toskcletons  for  P,  listener  committed  preskelctons  for  P,  and  listener  com¬ 
mitted  skeletons  for  P,  respectively. 

Remark  7.21.  As  a  notational  heuristic,  we  use  A*,B*  and  A°,B°  as  symbols 
to  denote  assignment  committed  and  listener  committed  skeletons  (possibly 
proto  or  pre).  Morever,  unless  explicitly  stated  to  the  contrary,  in  a  context  in 
which  either  one  of  the  symbols  A*  or  A°  are  mentioned,  the  symbol  A  refers 
to  the  underlying  protoskeleton,  and,  in  a  context  in  which  A*  is  mentioned, 
A°  refers  to  the  listener-restriction  of  A*. 

Let  P  be  a  protocol.  We  have  the  following  diagram: 

PSkel*  <*=  PreSkel*  «=  SkeP 

F._0 

PSkeP  <*=  PreSkeP  <*=  SkeP  (9) 

F0^ 

PSkel  <*=  PreSkel  <*=  Skel 

where  the  downward  arrows  are  structure  removing  mappings  and  leftward 
arrows  are  inclusion  mappings.  At  this  point  of  the  exposition  nothing  can  be 
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said  about  functoriality  of  the  arrows  since  no  morphisms  have  been  defined 
for  any  of  these  collections.  That  is  the  object  of  the  next  section. 

The  preceding  remarks  are  summarized  in  the  following  proposition: 

Proposition  7.22.  In  the  diagram  (9),  the  mappings  F.^0  and  F0^  are 
defined  and  surjective  on  all  the  columns. 

7.4  Preservation  Properties 

In  arguments  involving  objects  such  as  protoskeletons  and  protomorphisms, 
it  is  desirable  to  identify  properties  of  these  objects  which  are  preserved  under 
some  specific  transformation  or  more  generally  some  relation.  Some  of  the 
properties  we  single  out  are  in  fact  negations  of  conditions  used  to  define  the 
main  categories  in  the  theory. 

Non-asymmetry  of  protoskeleton  A  is  the  property  that  there  are  nodes 
m,  n  for  which  m  -<  n  and  n  -<  m.  A  non-asymetric  protoskeleton  is  not  a 
skeleton. 

Proposition  7.23  (Non-asymmetry  preserved  under  structure-preserving 
protomorphisms).  If  A  is  a  protoskeleton  such  that  -<A  is  not  asymmetric, 
then  there  is  no  structure-preserving  protomorphism  A  from  A  to  a  protoskel¬ 
eton  B. 

Proof.  If  m  -<  n  and  n  -<  m  in  A,  and  A  =  (</?,  a)  is  structure-preserving, 
then  <p(m)  -<  <p(n)  and  <p(n)  -<  <p(m)  in  B,  so  B  is  not  a  preskeleton.  Note 
that  even  if  tpfm)  =  <p(n),  -<  is  not  asymmetric  in  B.  □ 

Proposition  7.24  (Point  of  origination  non-preservation  preserved  under 
extensions).  Suppose  A  B  and  t  e  UA  are  such  that  n  G  0A{t),  but 

( pin )  ^  Oa(aft)).  If  B  C  is  any  protomorphism  to  any  protoskeleton, 
then  fp'  o  <p)(n)  ^  Oc((cr'  o  cr)(t)). 

Proof.  Note  that  the  message  at  n  carries  t  in  A,  so  the  message  at  tp(n) 
carries  a(t)  in  B.  If  <p(n)  is  not  a  point  of  origination  of  aft)  in  B,  there  must 
be  a  node  nl  =  (s,i)  where  n  =  (s,j)  and  i  <  j,  where  (p(n')  carries  aft). 
Then  ip'fpfn!))  carries  a'(a(t)),  so  ip'fpfn))  Oc(a'(a(t))).  □ 

Proposition  7.25  (Point  of  origination  preservation  preserved  under  proto- 

(£5,(7  ipf 

morphism  factoring).  Suppose  we  have  A  — ■»  B  and  we  have  A  --->  C  where 
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there  is  some  B  C  such  that  p  =  p"  o  p'  and  a  =  a"  o  a' .  Then  if  (p,  a) 
preserves  points  of  origination,  (p' ,  a')  preserves  points  of  origination. 

Proof.  We  prove  the  contrapositive:  that  if  (</?',  a')  does  not  preserve  points  of 
origination  then  neither  does  ( p ,  a).  Suppose  (p',  a')  does  not  preserve  points 
of  origination,  and  suppose  t  e  U&  and  suppose  n  e  0&{t)  are  such  that 
<p'(n)  £  Oc(cr'(t)).  By  Proposition  7.24,  p”(p'(n))  =  p(n)  £  CB(cr" (a1 (t)))  = 
0-B,{cr(t)).  Thus,  (p,cr)  does  not  preserve  points  of  origination.  □ 

Proposition  7.26  (Violation  of  role-inherited  unique  origination  constraints 
preserved  under  protomorphisms  of  assignment-committed  protoskeletons). 
Suppose  A*  is  a  protoskeleton,  B*  is  a  protoskeleton  meeting  condition  (5) 
of  the  definition  of  preskeleton  and  A  is  a  protomorphism  of  assignment- 
committed  proto  skeletons  from  A*  to  BV  Then  A*  meets  condition  (5)  of  the 
definition  of  preskeleton. 

Proof.  Argue  by  contradiction.  Suppose  A*  =  (A,  A)  does  not  meet  condi¬ 
tion  (5)  of  the  definition  of  preskeleton.  Then  there  is  a  strand  s  and  a  t  G  UPs 
such  that  t  originates  in  CPs  \  len  ©a(s)  at  event  i  but  as(t )  does  not  originate 
in  ©a(s)  at  event  i.  Thus  crs(t)  is  carried  at  an  earlier  event  j  on  ©a(s).  But 
then  a(as(t))  is  carried  at  event  j  in  strand  p(s)  in  B*.  However,  strand  p(s) 
is  associated  in  B*  with  ps  and  thus  B*  does  not  meet  condition  (5)  of  the 
definition  of  preskeleton.  □ 

7.5  Coverage 

If  A  =  (/,  0,  -<,  N,  U)  is  a  protoskeleton  and  /'  C  /  is  any  subset,  then 

Rmv//(A)  —  (I\  I',  ©|j\j',  -<  |(/\/')x(/\/'),  Af,  U ). 

We  are  particularly  interested  in  the  case  where  /'  is  a  valid  listener  set  for 
A.  In  that  case,  Rrnv /'  ( A)  is  a  preskeleton  (or  skeleton)  if  A  is  a  preskeleton 
(or  skeleton).  If  A°  =  (A,  La)  is  a  listener  committed  protoskeleton,  then 

Rrnv  A°  =  Rmv4  ( A) .  (10) 

Remark  7.27.  By  definition  Rrnv  maps  objects  in  PSkeP  to  objects  in  PSkel. 

If  A°  --->  B°  is  a  protomorphism  of  listener-committed  skeletons  then  by 
Definition  7.16,  A  Rmv a°  is  a  protomorphism  RmvA°  --->  RmvB°.  Thus 
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we  can  view  Rmv  as  a  functor  in  the  protomorphism  categories  PSkel°  — > 
PSkcl.  We  will  denote  A  RmvA°  by  Rmv(A). 

If  A°  B°  is  a  homomorphism  RmvA°  — >  RmvB°  is  a  homomorphism. 
Proof:  The  order  preserving  property  is  obvious.  Nothing  can  originate  on 
a  listener  strand  (Remark  6.2),  therefore  deleting  any  set  of  listener  nodes 
does  not  affect  origination  nodes. 

Remark  7.28.  If  A°  is  a  realized  skeleton  then  Rmv(A°)  is  also  realized.  Proof: 
Removing  listener  strands  on  a  preskeleton  has  no  effect  on  the  fragments  at 
any  of  the  remaining  nodes. 

Definition  7.29.  The  coverage  of  a  listener  committed  skeleton  A° ,  which 
we  denote  [A°],  is  the  collection  of  homomorphisms  A  |Rmv(Ao\  as  A  ranges 
over  homomorphisms  A°  — >  B°  with  IB  realized. 

Alternatively, 

[A°]  =  {(RmvB°,A  |Rmv(Ao))  |  ®  is  realized  and  A°  B°}.  (11) 

Thus  the  coverage  is  some  collection  of  homomorphisms  Rmv(A°)  — >  B  into 
realized  skeletons  B. 


8  Operators 

In  this  section,  we  define  the  notion  of  an  operator ,  which  transforms  proto¬ 
skeletons.  We  will  then  define  the  set  of  operators  that  CPSA  most  depends 
on.  In  general,  an  operator  on  a  collection  S'  is  a  mapping  F  which  whose 
domain  consists  pairs  (a,  r)  where  a  e  S  and  r  is  an  auxiliary  parameter. 

An  operator  for  a  protocol  P  is  a  self-mapping  on  PSkel(P).  An  assignment¬ 
transforming  operator  is  a  partial  self-mapping  on  PSkcl*  (P).  A  listener¬ 
transforming  operator  is  a  partial  self-mapping  on  PSkeP(P).  We  will  also 
use  the  generic  term  “operator”  informally  to  refer  to  an  operator  on  any  of 
the  protoskeleton  categories  and  as  a  self-mapping  on  the  category  of  node 
spaces. 

In  the  assignment-transforming  operators  f  we  consider  below,  the  pro¬ 
toskeleton  component  of  f  (A,  A)  depends  only  on  A  and  the  role  assignment 
component  depends  only  on  A.  We  will  call  the  role  assignment  compo¬ 
nent  the  role- assignment  transformation.  A  desirable  property  of  the  role- 
assignment  transformation  is  that  the  set  of  listeners  in  f  (A,  A)  depends  only 
on  the  set  of  listener  strands  in  A. 
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Definition  8.1.  An  assignment-transforming  operator  f  is  well-behaved  with 
respect  to  listeners  if  whenever  A  and  A!  are  role  assignments  for  a  proto¬ 
skeleton  A  which  have  the  same  set  of  pseudolisteners,  the  role  assignments 
o/f(A,  A)  and  f(A,  A!)  also  have  the  same  set  of  pseudolisteners. 

Whenever  f  is  an  assignment-transforming  operator  well-behaved  with 
respect  to  listeners,  we  can  view  f  as  describing  a  well-defined  listener¬ 
transforming  operator,  which  we  will  also  refer  to  as  f,  abusing  notation. 
Specifically,  if  L&  is  a  valid  listener  set  for  A  then  let  A  be  a  role  assignment 
justifying  its  validity.  Since  the  set  of  listeners  under  f(M)  depends  only  on 
La,  we  can  view  that  set  as  the  well-defined  result  of  applying  f  to  La- 

A  linking  map  Af  associated  to  an  operator  f  (on  any  of  the  protoskele¬ 
ton  categories)  associates  to  any  protoskeleton  A  a  protomorphism  Af(A)  = 
(<Pf(A),  Uf(A))  from  A  to  f(A).  For  each  protoskeleton  A,  Af(A)  is  called  the 
linking  protomorphism.  In  particular,  if  the  operator  f  acts  on  the  protoskel¬ 
eton  category  PSkel*,  for  each  A*  e  PSkel*,  the  linking  protomorphism  will 
be  required  to  be  an  assignment-preserving  protomorphism. 

Remark  8.2.  Suppose  (A,  A)  is  an  assignment-committed  protoskeleton  with 
linking  protomorphism  Af(A)  =  (<p,<x).  Af(A)  is  assignment-preserving  if 
and  only  if  the  role  assignment  of  B  of  f  (A,  A)  satisfies  p®,  x  =  pf  for  every 
strand  s  in  A.  In  particular  pP^  is  a  pseudolistener  if  and  only  if  pf  is  a 
pseudolistener.  This  remark  proves: 

Proposition  8.3.  Suppose  f  is  an  assignment  transforming  operator  with 
linking  protomorphism  Af.  If  for  every  assignment  committed  proto  skeleton 
(A,  A)  the  node  mapping  component  o/Af(A,  A)  is  surjective,  then  f  is  well- 
behaved  with  respect  to  listeners. 

CPSA  operates  at  the  listener-committed  protoskeleton  level,  so  it  is  im¬ 
portant  that: 

•  Operators  we  use  are  listener-transforming,  and 

•  Operators  we  use  have  linking  protomorphisms  that  are  protomor- 
phisrns  of  listener-committed  protoskeletons  from  A°  to  f(A°). 

Most  of  the  operators  we  use  are  actually  assignment-transforming  operators 
well-behaved  with  respect  to  listeners. 
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8.1  Suites 

A  suite  is  a  map  from  PskeP  to  a  set  of  listener-transforming  operators,  that 

is 

f  :  PskeP  — >  P({f|f  is  a  listener-transforming  operator}) 

We  use  f[A°]  to  denote  (f(A°)|f  G  f(A°)}. 

If  f  and  g  are  suites,  then  f  o  g  is  a  suite  where  f  o  g(A°)  =  (f  o  g|g  G 

0(A°),f  ef(g(A°))}. 

At  the  top  level,  CPSA  is  a  setwise  term  reduction  system,  driven  by 
reductions  f[-]  for  various  suites. 

8.2  Filters 

A  filter  is  a  predicate  on  pairs  (A°,f)  where  f  is  an  operator  on  A°.  If  A 
is  a  filter  and  f  is  a  suite,  fF  is  a  suite,  where  fF(A°)  =  (f|f  G  f(A°)  and 
(A°,  f)  G  F}. 

If  F  is  a  filter  and  f  is  a  listener-transforming  operator,  then  fF  is  a  suite 
which,  on  input  A°,  is  {f }  if  (A°,f)  G  F  and  0  otherwise. 

8.3  Primitive  Operators 

In  this  section  we  describe  some  very  simple  operators  from  which  our  more 
complicated  test-solving  operators  are  built. 

Definition  8.4  (Identity  operator).  For  any  protoskeleton  A,  Id  (A)  =  A. 
The  corresponding  role- assignment  transformation  is  ld(«4)  =  A. 

The  linking  map  A|c|  is  the  identity  protomorphism: 


A/(A)  =  (ldA,lda). 


The  linking  protomorphism  for  Id  (A)  is  a  protomorphism  of  assignment- 
commited  protoskeletons. 

If  a  is  a  substitution,  we  can  define  an  operator  Sub^  based  on  a:  basically, 
we  apply  a  to  all  algebraic  parts  of  A  while  leaving  its  node  structure  alone. 

Definition  8.5  (Substitution  operator).  If  a  &  End(2l)  then  we  define  the 
operator  Sub a  as  follows.  If  A=  (I,Q,  N,U)  then 

SubCT(A)  =  (/,  cr  o  0,  -<,  <r(N),  cr(U)). 
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The  linking  map  AsubCT  is  defined  as  follows: 


AsubCT(A)  —  (ldA,  cr ) 

The  role- assignment  transformation  is  defined  as  follows:  If  A  =  {(ps,as)  : 
s  G  1}  is  a  role  assignment,  then  SubCT(^l)  =  {(ps,  a  o  as)  :  s  G  I}. 

Remark  8.6.  If  A  =  (/ ,  0,  -<,  N,U)  is  a  protoskeleton  with  validating  role 
assignment  A,  SubCT(A)  is  a  protoskeleton  with  validating  role  assignment 
Subcr(v4).  This  follows  from  the  definition  of  protoskeleton  (7.2). 

ArSubCT(A)  =  &(N)  T  ct(Na)  =  N$uba(A) 


and 

^SubCT(A)  ^"(^7)  A  @{Ua)  ^7subCT(^4)- 

Remark  8.7.  By  Proposition  8.3,  the  substitution  operators  are  well-behaved 
with  respect  to  assignments. 

Note  that  the  linking  protomorphism  AsubCT(A)  is  not  necessarily  a  homo¬ 
morphism  since  preservation  of  nodes  of  origination  may  fail.  We  say  that  a 
substitution  a  is  homomorphic  if  the  linking  protomorphism  of  Sub^  is  a  ho¬ 
momorphism.  Note  also  that  the  linking  protomorphism  is  a  protomorphism 
of  listener-committed  protoskeletons. 

The  compression  operator  combines  two  compatible  strands.  Recall  that 
a  strand  is  a  node  space  consisting  of  a  single  strand. 

Definition  8.8  (Compression  operator).  Suppose  s,s'  are  strands  and  A  is 
a  protoskeleton.  Comp  , (A)  is  defined  only  when  s,s'  G  /a  and  0(s)  is  a 
prefix  of  Q(s')  or  Q(s')  is  a  prefix  ofQ(s).  Assume  this  is  the  case.  If  s,  s' 
have  different  lengths,  let  smax  be  the  strand  out  of  {s,s'}  of  greater  length 
and  let  s min  be  the  other  strand;  otherwise  smax  =  s  and  .sm;n  =  s' . 

CompSjS,(A)  =  (I\  {smin},  ©|/\{Smin},  N,  U ) 
where  the  relation  -<'  is  defined  based  on  the  linking  protomorphism 


AcompSjS/(A)  (^Comp^/ ,  Idqjt) 

where  <^comP,  ,  is  the  identity  on  the  nodes  in  I\  {smin}  but  <^comPs  ,  (smin)  = 

^max* 
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The  relation  A  is  the  smallest  transitive  relation  such  that  for  all  n,  nl  G 
A,  ifn  -<  n'  then  </?comp33,  (n)  A  </?Comp3>3,  (n')- 

The  listener  transformation  of  Compss,  is  defined  as  follows 


Comp  s,Ala) 


La  \  {•<,min  }  if  {Sj  s  }  C  La 
La  \  (s,  s'}  otherwise 


Remark  8.9.  The  compression  operator  is  not  always  viewable  as  assignment- 
transforming:  the  main  issue  is  that  although  0(s)  is  a  prefix  of  ©(s')  this 
does  not  guarantee  that  both  s  and  s'  are  instances  of  the  same  role  in  all  role 
assignments.  However,  our  description  of  Comps  s,  as  a  listener-transforming 
operator  guarantees  that  the  linking  protomorphism  will  always  be  a  proto¬ 
morphism  of  listener-committed  protoskcletons. 

Remark  8.10.  First  a  definition:  Given  a  role  assignment  A  =  {(ps,crs)  :  s  G 
1}  and  strands  s,  s',  M(s)  is  compatible  with  .4. (s')  if  and  only  if  ps  =  ps>. 
Suppose  s,  s'  are  given.  If  an  an  assignment-committed  protoskeleton  (A,  A) 
is  such  that  s,  s'  are  such  that  M(s)  is  compatible  with  .4. (s'),  then  one  can 
view  Compss,  as  an  assignment-transforming  operator  on  (A,  A).  Moreover 
by  Proposition  8.3  the  operator  is  well-behaved  with  respect  to  listeners. 

Remark  8.11.  It  is  clear  that  Comp,,  ,(A)  is  a  protoskeleton,  regardless  of  the 
relation  -<'.  However,  if  A  is  a  preskeleton,  Comps  S,(A)  need  not  be  a  preskel¬ 
eton  because  -<'  may  have  a  cycle  violating  Condition  1  of  Definition  7.10. 

Given  a  protoskeleton  A,  order  enrichment  only  affects  the  order  relation. 


Definition  8.12  (Order  enrichment  operator).  If  A  =  (/a,  ©a,  Na,  Ua), 
then 

OE(A)  =  (/a,  ©a,  -<',  Na,  Ua) 
where  -<'  is  the  smallest  transitive  relation  such  that 


1.  If  n  -<a  n'  then  n  A  nl  and 

2.  IftEU  and  t  originates  in  A  at  n,  and  nl  is  any  other  node  at  which 
t  is  carried  then  n  An'. 


The  role- assignment  transformation  is  the  identity. 
The  linking  protomorphism  is  the  identity: 

Aqe(A)  =  (Ha,  Ida) 
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The  linking  protomorphism  is  clearly  a  protomorphism  of  assignment- 
committed  protoskeletons. 

Remark  8.13.  By  Proposition  8.3,  the  order  enrichment  operator  is  well- 
behaved  with  respect  to  listeners. 

Finally,  the  augmentation  operator  adds  a  strand.  Recall  that  for  a  role 
or  pseudorole  p,  Cp  is  the  trace  of  p. 

Definition  8.14  (Augmentation  operator).  Let  A  =  (/,  0,  -<,  N,  U).  Let 
n  G  A  be  any  reception  node.  Let  p  e  (P  U  {<£}).  Let  i  <  \CP\  such  that 
evtCp,i  is  a  transmission  and  let  a  be  any  substitution.  Let  s *  ^  /a-  Then 

Aug„,M„,».(A)  =  (/',e',A,JV',r/') 

where: 


•  /'  =  JU{s*}. 

•  0'(s)  =  0(s)  for  s  G  I  and  @'(s*)  =  a(Cp\i). 

•  (si,*i)  (s2,i2)  if  and  only  if  one  of  the  following  holds: 

1.  si,s2  e  I  and  (si,*i)  -<  (s2,*2), 

A  -Si  =  S2  =  -s*  and  i\  <  i2;  or 
5.  si  =  s*?  s2  G  I,  and  n  L  (s2,*2). 

•  A/7  =  Af  U  [o’]  * 

The  augmentation  operator  has  an  associated  linking  protomorphism  where 


^Au§ n,P,i,a,s*  (^)  —  (I^a,  Ida). 

The  role  assignment  transformation  Augnpiasi,(A)  is  equal  to  A  on  strands 
in  I  but  maps  s *  to  (p,  a) . 

Note  that  Aug  i)0.)S*(A)  may  not  always  be  a  preskeleton  even  if  A  is,  but 
■A-Aug,,  p  i  cr  s*  (A)  is  always  a  homomorphism,  and  is  always  a  homomorphism  of 
assignment-committed  protoskeletons. 
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Remark  8.15.  Any  augmentation  operator  f  is  well-behaved  with  respect  to 
listeners.  This  does  not  immediately  follow  from  Proposition  8.3  since  the 
node  mapping  component  of  the  node  mapping  component  of  Af  (A,  A)  is  not 
surjective.  However  Af(A,  A)  only  misses  those  elements  in  the  new  strand 
s *  and  the  role  for  this  new  strand  is  prescribed  by  p  which  is  a  parameter 
in  f. 

Theorem  8.16  (Preskeleton  property  preserved  under  primitive  operators). 
Let  A*  and  B*  be  preskeletons  and  f  be  an  assignment-transforming  primitive 
operator  on  A*  such  that  there  is  a  commutative  diagram: 


B* 


where  X  is  a  structure-preserving  protomorphism  of  assignment- committed 
preskeletons  and  X'  is  a  protomorphism  of  assignment- committed  protoskele¬ 
tons.  Then  f(A*)  is  a  preskeleton. 

Proof.  Asymmetry  of  -<  (part  of  Condition  (1)  of  Definition  7.10)  is  assured 
by  Proposition  7.23  and  Condition  (5)  is  assured  by  Proposition  7.26.  For 
the  remaining  properties  our  proof  proceeds  by  cases,  one  for  each  primitive 
operator.  Let  A  =  (</?,  a)  and  let  X'  =  ((p',a'). 

f  =  Id:  Since  ld(A*)  =  A*,  f(A*)  is  a  preskeleton,  and  meets  all  required 
conditions. 

f  =  Subo-gi  Since  the  set  of  nodes  and  the  ordering  of  f(A*)  are  the  same 
as  those  of  A*,  it  should  be  clear  that  f(A*)  meets  condition  (2)  and  satisfies 
the  remaining  properties  of  (1). 

Proof  of  Property  (3):  Suppose  t  G  A7(a*)-  If  t  is  carried  at  a  node  n  of 
f(A*)  then  aft)  G  a'(Nf^))  C  Ab*  is  carried  at  node  </?'(n).  This  contradicts 
B*  being  a  preskeleton.  Therefore  t  is  carried  at  no  node  of  f(A*).  Next,  t  is 
of  the  form  Uo(s)  for  some  some  s  G  N&.  Every  variable  in  s  occurs  at  some 
node  in  A*.  Therefore  every  variable  in  t  occurs  at  some  node  in  B*. 

Proof  of  Property  (4).  Let  t  G  t  is  of  the  form  u0(s)  for  some  some 

s  G  N&.  s  is  carried  at  a  node  n  in  A*,  and  therefore  t  is  carried  at  node  n. 
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f  =  Compss,:  Note  that  if  f  is  assignment-transforming  in  this  case  then 
v4(s),  *4.(V)  are  compatible  (Remark  8.10).  The  ordering  -<comP,  ,(a»)  is  de- 
hned  to  be  transitive.  Moreover,  since  the  linking  homomorphism  is  surjec¬ 
tive,  the  ordering  -<Comps  ,(a»)  includes  the  strand  ordering.  Condition  (2) 
follows  from  the  fact  that  <£>comP,  s,  (A*)  is  defined  to  be  structure-preserving. 
Conditions  (3)  and  (4)  follow  from  the  fact  that  A^comp  ,(a*)  =  iVA.  and 
U comPs.  / (a*)  =  Ua‘,  and  that  every  event  in  A*  is  present  in  f(A*)  since  we 
eliminate  only  completely  duplicated  nodes. 

f  =  OE:  Like  Comps  s,,  -<oe(a*)  is  defined  to  be  structure-preserving  and 
transitive,  and  all  events  in  A*  are  present  (at  the  same  node)  in  OE(A*),  so 
all  required  conditions  are  clearly  met. 

f  =  Aug„)Pi  a.  s*:  Here,  transitivity  of  -<f(A.)  is  established  as  follows.  If 
n i  =  (si,*i),n2  =  (fi2,*2),^3  =  is3,h)  are  nodes  in  f(A*)  and  n \  -<  n2  and 
n2  -<  n3  then: 

•  If  s2  G  /  then  s3  must  be  in  /  and  n2  -<A.  n3 .  If  n j  -<A.  n2  then  by 
transitivity  in  A*,  ri\  -<A.  n3.  If  =  s*  then  n  -<A.  n2 ,  so  n  -<A.  n3 
and  thus  n i  -<f(A.)  n3. 

•  If  s2  —  s*  then  Si  =  s*  also.  If  s3  =  s *  then  i3  >  i2  and  i2  >  i\  so 
n i  -<  n3.  Otherwise,  n  -<A.  n3  so  ri\  -<f(A.)  n3. 

Condition  (2)  holds  in  f(A*):  if  ri\  =  (si,*i)  and  n2  =  (s2,i2)  and  n ,  -<  n2 
where  ^  s2  then  there  are  two  cases.  If  si,s2  G  I  the  property  holds 
because  A*  is  a  preskeleton.  Otherwise,  it  must  be  the  case  that  .Si  =  s *  and 
s2  G  /.  If  there  is  no  node  between  ri\  and  n2  it  must  be  that  n2  =  n  and  n  i 
is  the  last  node  of  s*.  But  the  event  at  n  is  a  reception  and  the  event  at  the 
last  node  of  s *  is  a  transmission.  □ 

An  obvious  corrollary  to  this  theorem  is  that  the  same  property  holds  for 
any  composition  of  any  number  of  primitive  operators,  so  long  as  they  are 
each  assignment-transforming. 

9  Suites  and  the  Setwise  Reduction 

CPSA  proceeds  by  maintaining  a  set  of  listener-committed  skeletons  A°  for 
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P.  The  initial  state  consists  of  one  skeleton  {A°}  which  we  call  the  point  of 
view1 . 

At  each  iteration,  we  rewrite  the  set  by  replacing  an  unrealized  skeleton  in 
the  set  with  a  set  of  skeletons  called  the  cohort  of  the  unrealized  skeleton  (for 
a  specific  critical  path  in  an  unrealized  node  in  that  skeleton).  The  cohort  cal¬ 
culation  takes  place  in  two  phases:  first,  we  calculate  the  pre-cohort,  which  is 
a  set  of  listener-committed  preskcletons.  Then,  we  calculate  the  skeletoniza¬ 
tion  of  each  pre-cohort  member,  which  produces  a  set  listener-committed 
skeletons.  We  describe  the  cohort,  the  pre-cohort,  and  the  skeletonization 
steps  as  suites. 

In  addition  to  these  suites,  CPSA  also  makes  use  of  certain  algorithms 
for  arbitrary  choices.  In  this  document  we  pay  no  attention  to  how  these 
functions  are  instantiated,  we  only  remark  the  following: 

•  NAME  (A)  is  a  choice  of  name  for  a  new  strand  to  add  to  A. 

NAME  (A)  £  IA. 

•  TEST(A)  is  a  choice  of  a  test  (see  Definition  10.5)  in  an  unrealized 
skeleton. 

•  UOI( A)  is  a  choice  of  a  unique  origination  issue.  If  A  does  not  satisfy 
the  condition  of  being  a  skeleton  that  every  atom  in  UA  originates  at  at 
most  one  node,  then  UOI( A)  returns  a  triple  ( t ,  n,  n ')  such  that  t  £  UA 
and  n  ^  n'  are  both  in  0A(t). 

•  SEARCHES)  is  a  choice  of  which  skeleton  to  perform  the  cohort  op¬ 
eration  on.  Given  a  set  S  of  listener-committed  skeletons,  at  least 
one  of  which  is  unrealized,  SEARCHES)  returns  one  of  the  unrealized 
skeletons  in  S. 

•  FR(A,  p,  i)  is  a  substitution  that  maps  each  variable  occurring  in  Cp\i 
to  a  distinct  variable  not  occurring  in  A  or  in  any  role  of  the  protocol. 

9.1  The  Pre-Cohort  Suite 

The  pre-cohort  suite  is  designed  to  infer  additional  honest  behavior  or  re¬ 
strictions  on  a  skeleton  in  order  to  make  progress  in  resolving  a  critical  path. 

1Actually,  CPSA  allows  the  user  to  specify  a  pre-skeleton  which  is  then  skeletonized, 
but  this  is  a  convenience  feature. 
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Suppose  A  is  an  unrealized  skeleton  with  valid  listener  set  LA,  and  that 
n  is  an  unrealized  node  of  A,  and  that  p  is  a  critical  path  with  endpoint  ep 
of  the  term  evt&{n)  in  the  fragment  T A;n.  The  pre-cohort  suite  is 

<P„,p(A°)  =  cn,p(A°)  U  a„,p(A°)  U  9n,p(A°)  U  ln,p(A0),  (13) 

where  the  suites  in  the  union  are  defined  as  follows. 

Definition  9.1  (Contraction  suite). 

cn,p(A°)  =  Usez{SubCT|cr  G  S}  (14) 

where  Z  is  a  set  of  Sa,b  for  each  a  G  Esc(jFA  n,  ep)  and  for  each  b  visited  by  p 
where  Saj,  is  a  complete  set  of  most  general  unifiers  of  a,b. 

Definition  9.2  (Regular  Augmentation  suite). 

a„,P(A°)  =  {Subffl  o  Augn;/M;aooFR{A)(M))S*}  (15) 

where  a0  G  S0,  cri  G  Si,  s*  =  NAME  (A)  and  p,  i,  cr0,  <Ji,  S0,  Si  are  as  defined 
below}. 

•  1Z  G  P  and  i  is  such  that  C-jz(i)  is  defined  and  is  a  send  event.  Let 

C  =  Cn\t. 

•  There  is  a  path  pp  G  CarPath(C(f))  and  a  term  tt  such  that  either  (i) 
the  endpoint  of  pp  is  a  variable  not  of  sort  MESG  and  tt  =  ep  or  (ii)  the 
endpoint  of  pp  is  a  variable  of  sort  MESG  and  tt  G  Targ(Esc(Jr,  ep),  ep). 

•  So  is  a  set  of  most  general  unifiers  of  tt  with  the  endpoint  of 
FR(A,p,i)(pp). 

•  Si  is  a  set  of  most  general  maps  cri  such  that  for  all  i'  <  i  and  for  all 
paths  p'  G  CarPath((7 (*')),  if  the  endpoint  of  ai((a0  o  FR(A,  p,  i))(p')) 
is  a i(ep)  then  o\ (p')  visits  an  element  of  <Ti(Esc(jFAin,  ep)). 

Note  that  it  is  not  obvious  that  S i  exists,  let  alone  that  there  is  a  finite  set 
of  such  maps  we  can  calculate  efficiently.  However,  their  existence,  and  the 
ability  of  CPS  A  to  identify  a  covering  set  of  them,  is  proven  in  Appendix  A. 
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Definition  9.3  (Displacement  suite.). 

0n,p(A°)  =  {Comp,,  s*  o  SubCT20(Tl  o  AugniP;i)(TooFR(A)P)i)iS*}  (16) 

where  p,  i,  cr0,  ay,  s*  are  as  in  the  definition  of  an.p(A°) ,  a2  G  S,  arid  s,S  have 
the  properties  described  below. 

•  s  is  a  strand  in  A  and  there  exists  a  role  assignment  A  such  that  s  is 
associated  with  role  p. 

•  S  is  a  set  of  most  general  unifiers  of  the  first  i!  events  in  s  and  the  first 
i'  events  in  s'  where  i!  is  the  smaller  of  \s\  and  i. 

Remark  9.4.  Displacement  is  the  only  pre-cohort  sub-suite  that  involves  the 
compression  operator,  and  is  thus  the  only  place  where  a  concern  arises  as 
to  whether  operators  in  the  pre-cohort  suite  can  be  viewed  as  assignment- 
transforming.  A  displacement  operator  Comp,,  o  Sub^o^  o  Augn)Pii)CTOiS*  is 
assignment-transforming  on  (A,  A)  whenever  A  associates  strand  s  with  p, 
because  in  such  cases  compression  occurs  between  two  strands  with  the  same 
role  association,  and  therefore,  the  association  of  the  combined  strand  is 
unambiguous. 

Definition  9.5  (Listener  augmentation  suite.).  [n;P(A°)  =  e5lniP(A0)Ucp[np(A0) 
where: 

•  Escape  set  listener  augmentation.  es[r))P(A°)  =  {Augn  £  2  s*  |s*  = 

N AME{ A),  {|c|}„  G  Esc(jFA  n,  ep)  and  a  maps  the  m  in  the  listener  role 
to  inv(u)}. 

•  Critical  path  listener  augmentation.  cplnp(A°)  =  {Augn £  2 <7S*|s*  = 
NAME{ A),ep  =  {|c|}u  and  a  maps  the  m  in  the  listener  role  to  u }. 
Note  that  cpln  p(A°)  is  0  if  ep  is  not  an  encryption. 

9.2  The  Skeletonization  Suite 

The  skeletonization  suite  is  designed  to  rectify  pre-skeletons  back  into  skele¬ 
tons. 

The  overall  process  is  as  follows.  If  A  is  not  a  skeleton,  then  either  it  is 
not  a  skeleton  because  some  atom  in  U  originates  on  more  than  one  strand, 
or  because  there  are  required  orderings  that  are  not  present.  We  resolve  all 
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of  the  former  issues  before  the  latter.  When  a  restricted  atom  originates  on 
multiple  strands,  we  resolve  the  problem  in  one  of  two  ways:  either  we  merge 
two  strands  on  which  the  atom  originates,  via  unification  and  compression,  or 
we  de- originate  one  of  the  origination  points,  in  which  we  apply  a  substitution 
to  the  strand  so  that  the  atom  is  gained  at  an  earlier  point. 

The  skeletonization  suite  is  6(A°)  =  {OE  o  f|f  e  ut(A°)}.  The  unique 
origination  rectification  suite,  ut,  is  defined  to  be  {Id}  if  NUO(A°)  is  empty, 
where  NUO(A°),  the  set  of  non-compliant  unique  origination  constraints,  is 
defined  to  be  {{t,n,n')\t  e  [/&  and  n  and  n!  are  distinct  points  of  origination 
of  t  in  A},  or  otherwise  defined  recursively  as  follows: 

ut(A°)  =  {f  of'| (t,n,ri)  =  UOI( A),f'  e  utt,n,n/(A0),  f  e  ut(f(A°))}, 

where  utiiriiri'(A0)  =  97tt,n,n'(A0)  U  £>tiriin/(A0),  and  where  971  (the  merging 
suite)  and  D  (the  deorigination  suite)  are  defined  below.  Recall  that  U 01  (A) 
outputs  a  triple  in  NUO( A)  as  long  as  NUO( A)  is  non-empty. 

Definition  9.6  (Merging  suite.).  Let  n  be  in  strand  s  and  let  n!  be  in  strand 
s'.  Let  i  be  the  smaller  of  the  lengths  of  s  and  s'.  Note  that  s  and  s'  must 
be  distinct  because  for  any  t  there  can  be  only  one  point  of  origination  per 
strand,  and  n  and  n'  are  distinct.  Then  9Jlt,n,n'  =  {Comps  o  Subo-la  e  U} 
where  U  is  a  set  of  most  general  unifiers  ofQ(s)\i  with  0(s')|h 

Remark  9.7.  Merging  is  the  only  skeletonization-related  suite  that  involves 
the  compression  operator,  and  is  thus  the  only  place  where  a  concern  arises  as 
to  whether  operators  in  the  skeletonization  suite  can  be  viewed  as  assignment- 
transforming.  A  merging  operator  Comps  s,oSubCT  is  assignment-transforming 
on  (A,  A)  whenever  A  associates  strands  s  and  s'  with  the  same  role,  be¬ 
cause  in  such  cases  compression  occurs  between  two  strands  with  the  same 
role  association,  and  therefore,  the  association  of  the  combined  strand  is 
unambiguous. 

Definition  9.8  (Deorigination  suite.).  Let  n  =  ( s,i ).  Let  V  =  {(i',pp)\i'  <  i 
and  pp  G  CarPath(mesg(s,  i'))}.  Then  let  Ui>tPP  be  a  set  of  most  general 
unifiers  of  the  endpoint  of  pp  with  t,  if  the  endpoint  of  pp  is  not  a  variable 
of  sort  MESG.  If  pp  does  terminate  in  a  variable  of  sort  MESG,  let  Ui^pp  be  a 
set  of  most  general  unifiers  of  the  endpoint  of  pp  with  a  term  that  carries  t. 
Then  ^ t,n,n ’  tE  Ui'pp^. 

Remark  9.9.  When  pp  terminates  in  a  variable  of  sort  MESG,  LA)PP  is  not 
finite.  Therefore,  if  this  situation  ever  comes  up,  CPSA  will  not  terminate. 
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9.3  Post-Processing  Filters 

The  post-processing  filters  filter  out  operators  that  are  invalid  or  have  failed 
to  make  progress.  Once  these  filters  are  defined,  we  can  define  the  cohort, 
which  is  CPSA’s  high-level  reduction  step. 

Let  A  be  a  protoskeleton,  let  LA  be  a  valid  listener  set  for  A,  and  let  f  be 
an  operator  defined  on  A°.  Let  n  be  an  unrealized  node  of  A  and  let  p  be  a 
critical  path  of  evtAfn)  in  the  fragment  FA,n- 

Definition  9.10  (Post-processing  filter).  The  post-processing  filter  P PntP  is 
defined  to  be  WF  fl  HC  fi  SFn^p. 

Definition  9.11  (Well-formed  filter).  WF  =  {(A°,f)  such  that  f(A)  is  a 
preskeleton} . 

Definition  9.12  (Homomorphism  check).  HC  =  {(A°,f)  such  that  Af(A)  is 
a  homomorphism  from  A  to  f(A)}. 

Definition  9.13  (Solved  filter).  SFn>p  is  the  set  of  pairs  (A°,f)  such  that  p 
is  weakly  solved  in  Ff (A),<p(n)  by  er,  where  Af(A)  =  (tp,  a). 

In  our  proof  later  it  would  be  desirable  to  prove  that  if  (A°,  f)  is  in  SFn)P 
then  so  is  (A°,  gof)  for  all  g.  This  is  the  case  for  some  of  the  solved  conditions: 

7 

Remark  9.14.  Let  n,p  be  a  test  in  unrealized  skeleton  A°  and  let  A°  --- ► 
1°  c°,  and  let  F  =  FA,n,  F'  =  Fn^n),  and  F”  =  Fcy^n))-  Then: 

1.  If  p ,  F ,  F' ,  (tp,  a)  meet  condition  Soli  then  so  do  p ,  F,  F" ,  (tp'otp,  a'oa). 

2.  If  p ,  F ,  F' ,  ( (p ,  a)  meet  condition  Sol3  then  so  do  p ,  F,  F" ,  ipp' otp}  a'oa). 

3.  If  p,  F ,  F\  (</?,  a)  meet  condition  Soil  then  so  do  p ,  F,  F" ,  (p'otp,  a'oa). 

However,  this  is  not  the  case  generally:  progress  guaranteed  by  condition 

Sol2  or  Sol5  can  be  reversed,  for  instance,  by  later  unifications.  What  we  can 
prove  is  that  these  properties  are  preserved  under  extensions  of  an  operator 
that  factor  a  map  to  another  protoskelcton  in  which  the  same  property  holds. 

Remark  9.15.  Let  n,p  be  a  test  in  unrealized  skeleton  A ^  and  let 


A° 


-242  A°  A°. 


Let  F i  F let  F 2  F ^et  F 3  F 43,^2(v?i(?i))’  and  let  F 4 
-AA4,v3(v2(vi(n)))-  Let  A  =  (tf)  =  (<Pi,<Ti),  A'  =  (<p',cr')  =  ((p2  o  (pua2  o  m), 
and  \"  =  (tp",  a")  =  ( tp3  o  tp2  o  tpx,  0-3  o  a2  °  cii).  Then: 
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1.  If  p,  T\,T-2i  A  meet  condition  Sol2  with  path  p' ,  and  if  p,  meet 

condition  Sol2  with  path  <73(02(2/)),  then  p,  JF3,  A'  meet  condition 
Sol5  with  path  02 ip')- 

2.  If  p,  T\,  T 2,  A  meet  condition  Sol5  with  term  ft,  and  if  p,  A"  meet 

condition  Sol5  with  term  03(02 (ft))  then  p,  T\ ,  T-i,  A'  meet  condition 
Sol5  with  term  a-2{tt). 

Although  these  claims  are  complex,  they  both  boil  down  to  the  same 
observation:  if  two  terms  have  not  been  unified  in  A2  but  are  unified  in  A3, 
they  must  be  unified  in  A4.  Therefore,  knowing  they  are  not  unified  in  both 
A2  and  A4  implies  they  are  not  unified  in  A3.  In  the  case  of  Sol2,  the  pairs 
of  terms  are  those  visited  by  (f,  tt)  and  those  in  the  image  of  Esc(Ai,  ep). 
In  the  case  of  Sol5,  the  pairs  are  the  new  target  term  and  the  image  of 
Targ(Esc(J7i,ep)). 

9.4  The  Cohort  and  the  CPSA  Set  Reduction 

First,  we  define  the  cohort,  the  top-level  suite  used  in  the  CPSA  algorithm. 
Definition  9.16  (The  cohort).  The  cohort,  cof)np(A°);  is  defined  to  be 

c°f)n,p(A°)  =  (©  o  Tn,p)PPn,p(A°). 

Next  we  define  the  reduction  relation  on  sets  of  listener-committed 
skeletons. 

Definition  9.17  (Setwise  reduction).  Let  S  =  {(A°)|l  <  i  <  k}  be  a  set  of 
listener- committed  skeletons.  If  A°  =  SEARCHES)  and  ( n,p )  =  TEST(Af) 
then  S  -»  {A°|l  <  j  <  k,  j  ±  *}  LJ  cof)n  j,[A°]. 

The  overall  operation  of  CPSA  is  as  follows.  The  user  specifies  the  point 
of  view  A*  along  with  the  protocol  P.  We  calculate  the  initial  set  S  =  {A°}. 
Then  we  proceed  as  follows: 

1.  If  3 T  such  that  S  -»  T,  let  S  <—  T,  and  go  to  1. 

2.  Else,  output  S. 
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CPSA  in  fact  picks  a  particular  element  of  S  and  a  particular  n  and  p  and 
chooses  the  T  resulting  from  that  choice.  However,  CPSA  is  configurable  to 
make  different  choices  of  these  sorts,  so  we  simply  need  to  understand  that 
CPSA  (when  it  halts)  outputs  a  normal  form  of  the  reduction  that  is,  a 
set  S  such  that  ->3T  :  S  -»  T. 


10  Suite  Completeness 

In  this  section  we  state  and  prove  varous  suite  completeness  theorems,  cul¬ 
minating  in  a  proof  that  cpsa’s  overall  approach  is  complete. 

First,  we  state  a  number  of  definitions  that  should  help  to  simplify  and 
clarify  the  complex  theorem  statements  and  proofs  to  follow.  Most  of  the 
theorems  proving  the  completeness  of  CPSA  are  ones  that  concern  proving 
that  coverage  of  a  certain  type  can  be  maintained  while  advancing  from  one 
listener-committed  protoskeleton  to  another  via  a  certain  suite.  The  notion 
of  coverage  varies  for  each  theorem,  and  what  is  essential  to  understand  from 
the  lemmas  are  the  particular  properties  of  that  coverage,  which  are  distinct 
for  each  theorem.  There  is  also,  in  each  of  these  theorems,  a  complicated 
logical  structure,  but  one  that  is  largely  similar  for  all  the  theorems.  We  first 
make  definitions  reflecting  this  generic  logical  structure,  and  then  proceed  to 
discuss  the  various  lemmas  and  theorems. 

Definition  10.1  (Coverage  property).  A  coverage  context  is  a  tuple  C  = 
(X,  Act)  where  X,  if)  are  sets  and  Act  is  a  mapping  PSkel  xX  x  Opr*  — >  X 
where  Opr*  is  the  collection  of  assignment-transforming  operators.  A  cover¬ 
age  property  relative  to  the  coverage  context  C  is  a  set  C  C  ((PSkel*  xX)  x 
Protom  x2))  such  that  for  all  ((A*,  /3),  A,  a)  e  C ,  A  is  a  protomorphism  from 
A. 

If  (I  £  X,  we  use  the  notation  f(A )./3  to  refer  to  Act(A,  (3,  f).  In  cases 
where  A  is  unambiguous,  we  sometimes  use  the  notation  f ./3. 

If  X  or  *5  are  sets  °f  tuples  themselves,  we  omit  the  extra  nexting  of 
parentheses,  as  in  ((A*,  t,  n,  n'),  A,  ay,  a2)- 

Definition  10.2  (Suite  factoring  protomorphisms  from  protoskcleton  un¬ 
der  conditions  P  guaranteeing  conditions  Q ).  Fix  a  coverage  context  C  = 
(X,  if),  Act).  Let  s  be  a  suite,  P  and  Q  coverage  properties  relative  to  C,  A° 
a  listener- committed  protoskeleton,  and  (3  e  X. 
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We  say  s  factors  protomorphisms  from  (A °,/3)  wider  conditions  P  guar¬ 
anteeing  conditions  Q,  expressed  as 

(A  °,/?):[P=4q]  (17) 

if  for  all  A,  A*,  a  such  that  ((A*,  /3),  A,  ct)  G  P  and  (adhering  to  the  convention 
adopted  in  Remark  7.21)  A*  is  an  assignment  committed  protoskeleton  such 
that  F._k3(A*)  =  A°,  there  is  a  commutative  diagram 


where  f  G  s(A°)  is  assignment-transforming  on  (A,  A)  and 

((f(A*),  Act(A, /?,  f)),  A',  a)  G  Q. 

Definition  10.3  (Suite  factoring  coverings  from  protoskeleton  under  condi¬ 
tions  P  guaranteeing  conditions  Q).  Fix  a  coverage  context  C  =  (X,  if),  Act). 
Let  5  be  a  suite,  P  and  Q  coverage  properties  relative  to  C,  A°  a  listener- 
committed  protoskeleton,  and  (3  G  X. 

We  say  s  factors  coverings  from  (A °,/3)  under  conditions  P  guaranteeing 
conditions  Q  expressed  as 

(A°„3)  :  [P  =4  Q]  (19) 

if  for  all  A,  A*,  a  such  that  ((A*,  (3),  A,  a)  G  P  there  exists  an  operator  f  G 
s(A°)  that  is  assignment-transforming  on  (A,  *4.)  and  a  A'  such  that 

A|Rmv(A°)  =  (A'  O  Af(Ao))|Rmv(Ao)  (20) 

and  ((f(A*),  Act  (A,  (3,  f)),  A',  a)  G  Q. 

Remark  10.4.  This  notion  is  nearly  identical  to  the  idea  of  a  suite  factoring 
a  protomorphism  from  protoskeleton  w.r.t.  a  predicate,  except  that  the  con¬ 
dition  expressed  by  the  commutative  diagram  (18)  can  only  be  considered  to 
be  true  modulo  listeners.  Note  the  difference  in  notation:  A°  :  [P  = Q] 
uses  double  brackets,  as  in  our  notation  for  coverage,  whereas  A°  :  [P  Q\ 
does  not. 
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Definition  10.5  (Test).  A  test  of  an  unrealized  skeleton  A°  is  a  pair  ( n,p ) 
where  n  is  an  unrealized  node  of  A°,  and  p  is  a  critical  path  of  evt&°(n)  in 
the  fragment  Thr.n- 

R 

Definition  10.6  (Equivalence  modulo  listeners).  A°  =  B°  if  and  only  if 
Rmv(A°)  =  Rmv(B°). 

R 

In  what  follows,  we  only  use  =  among  realized  skeletons. 

Definition  10.7  (Strict  role-generated  uniques).  Let  A*  =  (A,  A)  be  a  pre¬ 
skeleton  and  let  A'°  be  a  protoskeleton  and  (tp,  o)  be  a  protomorphism  where 

(£>,(7 

A  — ■»  A°.  Then  A*  has  strictly  role- generated  unique  origination  assump¬ 
tions  over  (A'°,  (<£>,  a))  if  C/&  =  cr  ([/&/)  U  U_ 4. 

Definition  10.8  (Coverage  modulo  listeners  context).  Let  the  cover¬ 
age  modulo  listeners  context  Cm  be  (Opr,  (PSkel°  x  PSkel°),  Act^)  where 
ActM(  A,g,f)  =  fog. 

Definition  10.9  (Precohort  coverage  property).  The  precohort  coverage  prop¬ 
erty  PCohnp  is  defined  with  respect  to  the  context  Cm,  and  includes  the  set 
of  4-tuples  ((A*,  g),  A,  B°,  A'°)  such  that 

•  PI.  A  *  is  a  preskeleton. 

•  P2.  B°  is  a  realized  skeleton. 

R 

•  PS.  There  exists  B'*,  a  realized  skeleton,  with  B°  =  B'°  such  that  A  is 
structure-preserving  and  A*  ---»  B,#. 

•  P4.  g(A'°)  =  A°. 

•  P5.  A*  has  strictly  role- generated  unique  originations  assumptions  over 

(A'°,  Ag(A'o)). 

A'  A" 

•  P6.  For  all  X'  such  that  A  --->  C  --■>  B;  with  A  =  A"  o  A',  p  is  weakly 
solved  in  tFc^gn)  by  o'  where  A'  =  (</?',  o'). 

Definition  10.10  (Cohort  coverage  property).  The  cohort  coverage  predicate 
Coh  is  defined  with  respect  to  the  context  Cm,  and  includes  the  set  of  4-tuples 
((A*,  g),  A,  B°,  A'°)  such  that 
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Cl.  A*  is  a  skeleton. 


•  P2.  B°  is  a  realized  skeleton. 

R 

•  C3.  There  exists  B'*,  a  realized  skeleton,  with  B°  =  B/0  such  that 
A*  4  B'\ 

•  P4.  g(A'°)  =  A°. 

In  the  definition  of  the  cohort  coverage  property,  we  need  to  allow  for 
existence  of  some  Br  rather  than  simply  use  B,  due  to  the  the  case  in  which 
f  adds  a  listener  strand  that  had  no  available  image  in  B. 

The  main  theorem  to  be  established  first  is  the  completeness  of  the  CPSA 
cohort  suite.  This  is  proven  given  two  central  lemmas,  which  we  state  here 
but  prove  later.  The  pre-cohort  completeness  lemma  establishes  that  the  pre¬ 
cohort  produces  a  complete  (in  terms  of  coverage)  set  of  preskeleton  outputs 
that  pass  the  solved  filter. 

Lemma  10.11  (Pre-cohort  completeness).  Let  A°  be  an  unrealized  skeleton 

fYl-P  Pn,p 

and  let  ( n,p )  be  any  test  of  A0.  Then  (A°,  Id)  :  [Coh  =  >  PCohnjP]. 

We  prove  Lemma  10.11  in  Section  12. 

The  skeletonization  completeness  lemma  establishes  that  skeletonization 
is  complete  with  regard  to  homomorphisms  to  a  skeleton,  and  produces  only 
skeletons.  Informally:  when  A  — >  A'  where  A  is  a  skeleton  but  A'  is  only 
presumed  to  be  a  preskeleton,  then  any  homomorphism  from  A  to  a  skeleton 
that  factors  through  the  map  to  A'  factors,  further,  through  the  linking 
protomorphism  of  some  element  of  the  skeletonization  suite  on  A'. 

Definition  10.12  (Ancestor-aware  coverage  context).  Let  the  ancestor-aware 
coverage  context  Ca  be  (Protom,  PSkel*,  Act^)  where  ActA( A,  A,  f)  =  Af(A)oA. 

Definition  10.13  (Skeleton  coverage  property).  Let  Aq  be  a  skeleton.  Then 
the  skeleton  coverage  property  SklA0  is  defined  with  respect  to  the  context  Ca, 
and  includes  the  set  of  3-tuples  ((A*,  Ao),  A,  B*)  such  that 

•  SI.  A  *  is  a  preskeleton. 

•  S2.  B*  is  a  skeleton. 

•  S3.  Aq  A°. 
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•  Sf.  A°  1°. 

•  S5.  A*  — ■>  B*  and  A  is  structure-preserving. 

•  S6.  A*  has  strictly  role- generated  unique  origination  assumptions  over 

(Aq,  a0). 

Definition  10.14  (Skeleton  homomorphism  coverage  property).  Let  Ag  be 
a  skeleton.  Then  the  skeleton  homomorphism  coverage  property  SklHomAo 
is  defined  with  respect  to  the  context  Ca,  and  includes  the  set  of  3-tuples 
((A*,  Ao),  A,  B*)  that  meet  conditions  S2,  S3,  Sf,  S6,  and 

•  SHI.  A*  is  a  skeleton. 

•  SH5.  A*  4b\ 


In  order  to  discuss  the  homomorphism  check  filter  properly  in  the  skele¬ 
tonization  completeness  lemma,  we  must  first  describe  the  homomorphism 
check  filter  in  a  different  way.  Let  HCa,\  =  {(A'°,  f)|Af(A')  o  A  is  a  homo¬ 
morphism  from  A  to  f(A')}. 

Lemma  10.15  (Skeletonization  completeness).  Let  Ag  be  a  skeleton  and  let 

N  lVFnffCA  A 

A°  be  a  preskeleton  such  that  Ag  —A  A°.  Then  (A°,  Ao)  :  [SklAo  =» 

SklHomAo], 


We  prove  Lemma  10.15  in  Section  11. 

From  these,  we  can  give  a  proof  of  Theorem  10.16. 

Theorem  10.16  (cpsa  cohort  completeness).  Let  A°  be  an  unrealized  skele¬ 
ton  and  let  (n,p)  be  any  test  of  A°.  Then  (A°,  Id)  :  [Coh  n"p>  Coh], 


Proof.  Let  A°  be  an  unrealized  skeleton  and  let  (n,p)  be  a  test  of  A°.  Let 
((A*,  Id),  A,  B°,  A°)  e  Coh,  with  (!'*)  satisfying  condition  C3. 

mPPn'p 

By  Lemma  10.11,  (A°,  Id)  :  [Coh  n'P  >  PCohn  p].  Let  g  be  an  assignment¬ 
transforming  operator  in  3fin^n'p  and  A'  be  such  that  ((g(A’), g)A', B°,  A°)  e 
PCohnp  and  A|Rmv(Ao)  =  (A'  °  Ag(A))|Rmv(Ao).  Let  1"*  =  (B ",B")  be  an 
assignment-committed  realized  skeleton  satisfying  condition  P3. 

We  claim  that  the  3-tuplc  ((g(A*),  Ag(A)),  A',  B"*)  is  in  SklA. 


•  SI.  Guaranteed  because  (A°,g)  e  WF. 
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•  S2.  We  already  know  B"*  is  a  skeleton,  so  S2  is  met. 

•  S3.  Guaranteed  because  (A°,g)  G  HC. 

•  S4.  We  know  that  A|nmv(A°)  =  (A'  o  Ag(A)) |Rmv(Ao),  and  we  know 

A'°Ag(A) 

Aq  ---»  B"°.  As  noted  below,  A'  is  structure-preserving,  and  so  is 

Ag  since  it  is  a  composition  of  linking  maps  of  primitive  operators. 
Therefore,  X'  o  Ag(A)  is  structure-preserving.  Furthermore,  it  preserves 
points  of  origination,  since  all  points  of  origination  occur  in  Rmv(A°). 
Therefore,  A'  o  Ag(A)  is  a  homomorphism. 

y 

•  S5.  g(A*)  — ■>  B"*  and  A'  is  structure- preserving  by  condition  P3. 

•  S6.  Guaranteed  because  of  conditions  P4  and  P5. 

Thus,  by  Lemma  10.15,  there  is  an  assignment-transforming  h  G 
qWfhh  A,Ag(A)  ancj  a  yi  such  that  ((h(g(A*)),  Ag(A)  o  A0),  A",  B"*)  is  in 

SklHomA.  Let  f  =  h  o  g  g  cofjnp(A°).  We  claim  that  the  4-tuple 
((f(A*),f),A//,B°,A°)  is  in  Coh. 

•  Cl.  Guaranteed  by  condition  SHI. 

•  P2.  Guaranteed  by  condition  P2  for  the  4-tuple  ((A*,  Id),  A,  B°,  A°). 

•  C3.  B"*  satisfies  this  condition.  We  already  know  B"*  is  a  realized 

R  yr 

skeleton  and  that  B°  =  B,/0,  and  condition  SH5  guarantees  that  A*  — > 
B"V 


•  P4.  Applying  f  to  A°  gives  f(A°). 

We  know  that  f  e  6  o  we  need  only  prove  that  (A°,  f)  e  PPn,p-  We 
know  (A°,f)  G  WF  from  condition  Cl  and  (A°,f)  G  HC  from  condition  C3. 
Also,  we  know  that  (A°,f)  G  SFnp  by  condition  P6.  □ 

10.1  Top-level  Completeness  Proof 

Assuming  the  results  of  Theorem  10.16,  we  can  prove  the  main  completeness 
result: 
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Theorem  10.17  (cpsa  overall  completeness).  Let  A°  be  the  input  to 
CPSA  and  suppose  CPSA  produces  a  set  S  in  a  finite  number  of  steps  dur¬ 
ing  its  setwise  reduction.  Let  Hm°  be  the  set  of  homomorphisms  A°  B°. 
Then 

[A°]  =  1J  {(A',  A'  o  (A|Rmv(Ao)))|(A/,  A')  G  [B°],  X  e  HMo} 

B°eS 

Proof.  Let  A°  be  the  input  to  CPSA  and  suppose  CPSA  produces  S  during 
its  setwise  reduction  in  a  finite  number,  n,  of  steps.  Let  S\, ... ,  Sn  be  the 
sequence  of  sets  CPSA  calculates,  where  S±  =  {A°}  and  Sn  =  S.  For  each  i 
from  1  to  n  —  1,  let  A °,ni,pi  be  such  that  Si+ 1  =  (Si  \  {A°})  U  cof)n.  p.[A°], 
where  A°  =  SEARCH(Si)  and  (n^pf)  =  TEST(Ai). 

Now  we  must  prove  that 

[A0]  =  U  {(A',  A'  O  (A|Rmv(Ao)))|(A/,  A')  G  [B°],  A  G  HB 

B  °eS 

Let  (A fin)  G  [A°],  and  let  B,#  be  any  realized  skeleton  such  that 
Rmv(B'°)  =  A',  and  let  A*  and  v  be  such  that  A*  A  B'*  such  that 

P|Rmv(A°)  =  A 

We  define  a  sequence  of  tuples  (C*,  A*,  B*,  vf)  such  that 
((C*,  Id),  i/j,  B/0,  C°)  G  Coh  where  (B*)  satisfies  condition  C3,  such 

that  A*  —A  C*,  and  (z/j  o  A?) |Rmv(A°)  =  h-  The  sequence  is  defined  as  follows: 

•  B*  =  B,#,  C*  =  A*,  Ai  =  Aid,  and  V\  =  v.  The  tuple  (C*,  Ai,  B*,  ufi) 
clearly  has  the  required  properties. 

•  If  C°  7^  A°  then  C*+1  =  C*,  B*+1  =  B*,  Ai+i  =  Xir  and  ni+1  =  ut.  All 
required  properties  of  the  tuple  are  clear. 

•  If  C°  =  A°,  then  by  Theorem  10.16  there  is  an  f  G  cof)n,;P,(A°)  and  a 
ul+\  such  that  ((f(C*),  f),  ui+i,  B/0,  C°)  G  Coh  and  a  B*+1  that  satisfies 
the  conditions  of  property  C3.  Note  that  ((f(C*),  Id),  z/i+1,  B/0,  f(C°))  G 
Coh  and  the  same  B*+1  satisfies  conditions  C3,  because  the  only  con¬ 
dition  affected  by  the  changed  fields  is  P4. 

Define  C*+1  =  f(C*)  and  define  Xl+  \  =  AqAq  o  A*.  Then  the  tuple 
(C-+1,A,+i,B-+1,  |_i)  has  the  required  properties: 
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-  We  already  know  ((f(C'),  Id),  ui+1,  B'°,  f(C°))  G  Coh  where  (B'+1) 
satisfies  condition  C3. 

-  We  know  that  (vi+1  o  Af(Ai))|Rmv(A°)  =  ^|Rmv(A°)  and  o 

Aj)  |  Rmv(A°)  =  I1-  Because  A*  is  a  homomorphism  of  listener- 
committed  skeletons,  all  non-listener  strands  of  A°  map  to  non¬ 
listener  strands  of  A°.  Thus,  (z^+i  o  Af(A?)  o  Aj)|Rmv(A°)  =  (zy  o 
Aj)|Rmv(A°)  =  Ah  and  since  Af(Ao)  o  A*  =  Ai+i,  we  have  that 
iyi+ 1  °  Aj+i)|Rmv(Ao)  /i- 

Thus,  we  have  (C* ,  An,  B* ,  un)  with  these  properties,  where  C°  G  Sn  =  S. 
Note  that  since  C°  -4  B°  where  B°  is  realized,  (Rmv(B°),  i/n|Rmv(c°))  G 
[C°J.  Furthermore,  Xn  G  HCo  and  (un  o  An)|Rmv(Ao)  =  //.  Since  An  is  a 
homomorphism  of  listener-committed  skeletons,  all  non-listener  strands  of 
A°  map  to  non-listener  strands  of  C°,  so  (^n|Rmv(c°)  °  An)|Rmv(A°)  =  [yn  ° 
A}i)|Rmv(A°)  =  p- 

This  proves  that  [A°]  C  Ub^sKA',  A'  o  (A|Rmv(Ao)))|(A/,  A')  G  [B°],A  G 
H^o}.  To  prove  equality  we  must  also  establish  the  other  inclusion. 

Suppose  (A ',n)  G  [B°]  where  B°  G  S,  and  suppose  A  G  H®o.  We  know 
A°  4  B°.  Let  B/0  and  v  be  such  that  B°  4  B/0,  Rmv(B'°)  =  A',  and 

h  =  ^|Rmv(Bo).  Then  A0  ^  ®'°,  and  (^oA)|Rmv(Ao)  =  (Aio(A|Rmv(Ao)))  because 
A  is  a  homomorphism  of  listener-committed  skeletons.  Thus,  (Rmv(B'°),  (//  o 
(A|Rmv(A°))))  =  (A',  (n  o  (A|Rmv(Ao))))  G  [A°|.  This  completes  the  proof.  □ 

11  Skeletonization 

In  this  section  we  prove  Lemma  10.15. 

Definition  11.1  (Ancestor-aware  coverage  context  with  term  and  node 
pair).  Let  N  be  the  set  of  nodes  appearing  in  members  of  PSkel.  Let 
the  ancestor-aware  coverage  context  with  term  and  node  pair  Ca2  be 
((Protom  x  21  x  A  x  N),  PSkel*,  Act a2)  where  ActA2(&,  (t,  n,  n',  A),  f)  = 
(°f(A)  (t) ,  <Pf (a)  (w) ,  ^f(A)  in') ,  Af (A)  o  A) . 

Definition  11.2  (Unique  origination  issue  coverage  property).  Let  Aq  be 

a  skeleton  and  let  Aq  -4  A°.  Then  the  unique  origination  issue  coverage 
property  UrIAo  is  defined  with  respect  to  the  context  Ca2,  and  includes  the  set 
of  3-tuples  ((A*,  t,  n,  n1,  Aq),  A,  B#)  such  that  ((A°,  Aq),  A,  B*)  G  SklAo  arid 
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•  UI1.  n  and  n!  are  distinct  and  are  both  points  of  origination  oft  in  A. 

The  unique  origination  issue  predicate  refers  to  coverage  (in  the  same 
sense  as  the  skeleton  coverage)  in  which  there  is  a  violation  of  a  unique 
origination  specification  (■ n,t,t ').  The  next  predicate  indicates  the  same  kind 
of  coverage  but  with  the  violation  resolved. 

Definition  11.3  (Unique  origination  issue  resolved  coverage  property).  Let 

Aq  be  a  skeleton  and  let  Aq  -4  A°.  Then  the  unique  origination  issue  resolved 
property  UrR,A0  is  defined  with  respect  to  the  context  Ca2,  and  includes  the 
set  of  3-tuples  ((A*,  t,  n,  n',  Ao),  A,  B#)  such  that  ((A°,  Ao),  A,  ®*)  G  SklA0  and 

•  UR1.  n  =  n!  or  one  of  n,n'  are  not  points  of  origination  oft  in  A. 

First  we  state  a  main  lemma  about  the  unique  origination  rectification 
suite: 

Lemma  11.4  ( ur- universality) .  Let  Aq  be  a  skeleton  and  let  A°  be  a  pre¬ 
skeleton  such  that  Aq  4  A°.  Let  t  be  a  term  in  U&  and  let  n  and  n!  be 
distinct  nodes  in  A  which  are  both  points  of  origination  of  t  in  A.  Then 
(A°,  t,  n,  n',  A0)  :  [UrIAo  ^4  UrRAo]. 

In  other  words,  ur t,n,n'  can  resolve  unique  origination  issues  while  main¬ 
taining  skeleton  coverage. 

The  proof  is  largely  split  into  two  cases:  one  for  using  the  merging  suite 
and  one  for  using  the  deorigination  suite.  With  a  little  work  these  can  be 
their  own  lemmas. 

Definition  11.5  (Unique  origination  issue  (merging)  coverage  property).  Let 

Aq  be  a  skeleton  and  let  Aq  4  A°.  Then  the  unique  origination  issue  (merg¬ 
ing)  predicate  UrIMAo  is  defined  with  respect  to  the  context  Ca2,  and  includes 
the  set  of  3-tuples  ((A*,  t,  n,  n',  A0),  A,  B*)  such  that  ((A*,  t,  n,  n',  A0),  A,B*)  G 
Ui’Ia0  and 

•  UIM1.  < p(n )  =  (p(n')  where  A  =  (</?, cr). 

Definition  11.6  (Unique  origination  issue  (deorig)  coverage  property).  Let 

Aq  be  a  skeleton  and  let  Aq  4  A°.  Then  the  unique  origination  issue  (de¬ 
orig)  predicate  UrIDAo  is  defined  with  respect  to  the  context  Ca2,  and  includes 
the  set  of  3-tuples  ((A*,  t,  n,  n',  A0),  A,  B*)  such  that  ((A*,  t,  n,  n',  A0),  A,B*)  G 
Ui'Ia0  and 
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•  -\JJIM1.  (p(n)  ^  T>{n')  where  A  =  (93,  o). 

Lemma  11.7  (Merging  universality).  Let  Aq  be  a  skeleton  and  let  A°  be  a 

preskeleton  such  that  Aq  -^4  A°.  Let  t  be  a  term  in  Ua  and  let  n  and  n! 
be  distinct  nodes  in  A  which  are  both  points  of  origination  oft  in  A.  Then 

yyt  / 

(A°,  t,  n,  n' ,  A0)  :  [UrIMAo  =AAAy  UrRAo] . 

Proof.  Let  Aq  be  a  skeleton  and  let  A°  be  a  preskeleton  such  that  Aq  -^4  A°. 
Let  1  be  a  term  in  Ua  and  let  n  and  n'  be  distinct  nodes  in  A  which  are  both 
points  of  origination  of  t  in  A.  Suppose  we  have  ((A*,  t,  n,  n',  A0),  A,  B#)  G 
UrIAo,  and  let  (<p,o)  =  A  and  (s,i)  =  n. 

Observe  that  n  and  n'  are  in  different  strands  (since  each  strand  can  only 
originate  any  atom  once),  and  that  <p  maps  these  two  strands  to  the  same 
strand  in  B°.  Let  l  be  the  minimum  of  the  lengths  of  strands  s  and  s'  in  A. 
Then  in  order  for  (</?,  o)  to  be  a  well-defined  protomorphism,  it  must  be  that 
<7  is  a  unifier  of  msgA(s,j )  and  msgA(s',j )  for  every  1  <  j  <  l.  Let  o0  be  a 
most  general  unifier  of  0(s)|Z  with  0(s')|Z  such  that  a  =  o'  o  a0  for  some  o'. 

Let  f  =  Compss,  o  SubCTo  G  9Jlt,n,n'( A°).  Let  ((pf,Of)  =  Af(Ao).  Let  cp'  be 
defined  strandwise  on  f(A°)  so  that  (s))  =  (p(s)  for  all  s;  note  that  this  is 
possible  in  f  (A)  since  <p(s)  =  ip(s').  Note  that  since  (99,  0)  is  a  protomorphism 
of  assignment-committed  protoskeletons,  A  assigns  both  s  and  s'  to  the  same 
role,  so  f  in  this  situation  is  assignment-transforming. 

Then  we  claim  that  ((f(A*),  Of(t),  Af(A)oAo),  A',  B*)  G  UrRAo, 

where  A'  =  (<//,  o').  We  have  that  tff  (n)  =  pf(n'),  so  it  remains  for  us  to  prove 
that  ((f(A*),  Af(Ao)  o  A0),  A',B#)  G  SklAo .  We  proceed  through  each  require¬ 
ment  in  the  definition  of  the  skeleton  coverage  predicate: 

•  SI.  f(A*)  is  a  preskeleton  by  Theorem  8.16. 

•  S2.  Guaranteed  because  ((A*,  A0),  A,  B*)  G  SklAo. 

•  S3.  We  must  prove  Af(Ao)  o  A0  is  structure-preserving  and  that  it 
preserves  points  of  origination.  The  former  property  is  guaranteed 
since  f  is  a  composition  of  primitive  operators  and  because  Ao  is 
structure-preserving.  Furthermore,  it  preserves  points  of  origination 
by  Lemma  7.25. 

•  S4.  A'  o  Af(Ao)  o  Ao  =  A  o  Ao,  and  by  property  S4  we  previously  know 
that  Aq  B°. 
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•  S5.  We  know  A  is  a  protomorphism  of  assignment-committed  proto¬ 
skeletons;  only  the  compression  operator  could  have  an  effect  on  this, 
and  we  have  already  remarked  that  the  two  strands  we  compress  both 
were  assigned  to  the  same  role. 

Let  -<  refer  to  -<Ao.  Let  -<m  be  such  that  n  -<m  n'  only  when  n  =  ( s ,  i) 
and  n'  =  (s',j)  or  n  =  (s',i)  and  n'  =  ( s,j )  for  some  i  <  j.  The 
ordering  -<f(Ao)  is  the  transitive  closure  of  -<  U  -<m-  Thus,  n  -<f(Ao)  n'  if 
and  only  if  we  can  define  a  sequence  n  =  no,  ni, . . .  ,ni  =  n'  such  that 
for  every  1  <  i  <  l,  rq_i  -<  nt  or  n*_i  -<M  n^. 

If  rii-i  -<m  rti,  then  (p'frii- 1)  -<b  because  ip'irii- 1)  will  precede 

(p'(rii)  in  the  same  strand  in  B.  If  rii-i  -<a  n*  then  1)  -<  <. p'(rii ) 

because  (p'(rii- 1)  =  1)  and  < p'(ni )  =  <p(rii),  and  A  is  structure¬ 

preserving.  So  we  have  that  (p(n)  =  < p(n0 )  -<B  . . .  -<B  (p(ni)  =  (p(n') 
and  so  (p(n)  -<B  ip(n')  because  -<B  is  transitive. 

•  S6.  We  know  that  f(A*)  has  strictly  role-generated  unique  origination 
assumptions  over  (A0,Af(A°)  °  A0)  because  (A*)  did  over  (Aq,  A0)  and 
Uf(A°)  =  °~f(A  °)(La°)- 

□ 

Lemma  11.8  (Deorigination  universality).  Let  Aq  be  a  skeleton  and  let  A° 

be  a  preskeleton  such  that  Aq  A°.  Let  t  be  a  term  in  U&  and  let  n  and  n’ 
be  distinct  nodes  in  A  which  are  both  points  of  origination  of  t  in  A.  Then 

(A°,  t,  n,  n',  A0)  :  [UrIDAo  ^4  UrRAo], 

Proof.  Let  Aq  be  a  skeleton  and  let  A°  be  a  preskeleton  such  that  Aq  A°. 
Let  t  be  a  term  in  C/A  and  let  n  and  n'  be  distinct  nodes  in  A  which  are  both 
points  of  origination  of  t  in  A.  Suppose  we  have  ((A*,  t,  n,  n',  Ao),  A,  B*)  e 
UrIAo,  and  let  ((p,cr)  =  A  and  (s,i)  =  n. 

Since  B  is  a  skeleton,  aft)  cannot  originate  at  both  (p(n)  and  < p(n ').  With¬ 
out  loss  of  generality,  assume  that  ip(n)  is  not  a  point  of  origination  of  aft ) 
in  B. 

Note  that  aft)  is  carried  at  node  tpfn)  so  it  must  be  that  there  is  an  earlier 
node  (s,  i')  -<  n  such  that  aft)  is  the  termination  point  of  a  carried  path 
(msgM(tp(s,  i')),  i r).  Let  id  be  the  largest  prefix  of  7r  such  that  ( msgAo(s ,  i'),  it') 
is  a  well-defined  path;  note  also  that  this  path  is  a  carried  path.  Then  either 
n  =  i d  or  ( msgBo(s,i'),iT ')  terminates  at  a  variable  m  of  sort  MESG.  (Note 
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that  in  the  latter  case  we  are  guaranteed  to  terminate  at  a  variable  of  sort 
MESG  because  of  the  stipulation  that  the  path  is  carried.)  In  the  former 
case,  a  is  a  unifier  of  the  endpoint  of  ( msgA(s ,  i'),  n)  with  t,  and  in  the  latter 
case  a  is  a  unifier  of  m  with  a  term  that  carries  t.  Either  way,  we  can  write 
a  =  o'  o  a0  where  f  =  SubCT0  G  0tAn/( A°).  Let  ip'  =  <p. 

We  will  show  that  ((f(A*),  cr0(f),  n,  nr,  AqA)  o  A0),  A',®*)  G  UrRAo,  where 
A'  =  (<//, a').  We  know  that  00(f)  is  carried  in  msgf^AO)(s,i'),  so  00(f)  does 
not  originate  at  node  n  in  f(A°),  so  we  need  only  prove  that  ((f(A*),  AqA)  o 
Ao),A',lB*)  G  SklAo.  We  proceed  through  each  requirement  in  the  definition 
of  the  skeleton  coverage  predicate: 

•  SI.  f(A*)  is  a  preskeleton  by  Theorem  8.16. 

•  S2.  Guaranteed  because  ((A*,  A0),  A,  B#)  G  SklAo. 

•  S3.  We  must  prove  AqA°)  o  A0  is  structure-preserving  and  that  it 
preserves  points  of  origination.  The  former  property  is  guaranteed 
since  f  is  a  composition  of  primitive  operators  and  because  Ao  is 
structure-preserving.  Furthermore,  it  preserves  points  of  origination 
by  Lemma  7.25. 

•  S4.  A'  o  Af(Ao)  o  A0  —  A  o  Aq,  and  by  property  S4  we  previously  know 
that  Aq  ^A  B°. 

•  S5.  Since  it  is  the  same  as  A  on  strands,  we  already  know  A'  is  a 
protomorphism  of  assignment-committed  protoskeletons.  Furthermore, 
the  orderings  in  f  (A)  are  the  same  as  the  orderings  in  A,  so  X'  must  be 
struct  ur  e-preserving . 

•  S6.  We  know  that  f(A*)  has  strictly  role-generated  unique  origination 
assumptions  over  (A0,Af(Ao)  o  A0)  because  (A*)  did  over  (Aq,  A0)  and 

Uf(A°)  =  0'f(A°)(GAo). 

□ 


We  now  give  the  proof  of  Lemma  11.4. 

proof  of  Lemma  11. 4.  Let  Aq  be  a  skeleton  and  let  A°  be  a  preskeleton  such 

that  Aq  A°.  Let  f  be  a  term  in  UA  and  let  n  and  v!  be  distinct  nodes 
in  A  which  are  both  points  of  origination  of  f  in  A.  Suppose  we  have 
((A*,  f,  n,  n',  Aq),  A,  B*)  G  UrIAo,  and  let  (p,cr)  =  A  and  ( s,i )  =  n. 
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The  proof  proceeds  by  cases.  One  of  the  following  must  be  the  case: 
Case  1:  (p(n)  =  <p(n').  In  this  case,  ((A*,  t,  n,  n',  Ao),  A,  B#)  G  UrIAo,  so  by 
Lemma  11.7  there  exists  an  f  G  C  uttjflj„'(A0)  and  a  A'  such  that 

((f(A*),  f(t),  f(n),  f(n'),  f(A0)),  A',  B#)  G  UrRAo  and  such  that  A  =  A'  oA^. 
Case  2:  <p(n)  </?(n').  In  this  case,  ((A*,  t,  n,  n',  A0),  A,B*)  G  UrIAo,  so 

by  Lemma  11.8  there  exists  an  f  G  St)Tl)n/ (A0)  C  uttjriin/(A0)  and  a  A'  such 
that  ((f(A*),  f(A),  f(n),  f(n'),  f(Ao)),  A',  B*j  G  UrRAo  and  such  that  A  =  A'  o 
Af(A).  □ 

Next,  we  prove  a  lemma  about  the  order  enrichment  operator. 

Definition  11.9  (Skeleton  coverage  without  unique  origination  issues).  Let 
Aq  be  a  skeleton.  Then  skeleton  coverage  without  unique  origination  issues, 
SklUAo,  is  defined  with  respect  to  the  context  Ca,  and  includes  the  set  of 
3-tuples  ((A*,  A0),  A,  B*)  in  SklAo  such  that  NUO{ A)  =  0. 

Lemma  11.10  (Order  enrichment).  Let  Aq  be  a  skeleton  and  let  A°  be  a 

preskeleton  such  that  Ag  A°.  Then  (A°,  Ao)  :  [SklUAo  =^>  SklHomAo], 
where  oe  =  {OE}. 

Proof.  Let  Ag  be  a  skeleton  and  let  A°  be  a  preskeleton  such  that  Ag  A°. 
Let  Ao  =  (<po,  cr0)  and  let  A  =  (99,  a). 

Let  ((A*,  Ao),  A,B*)  e  SklUAo.  Then  we  claim  that  ((OE(A*),  Ao),  A,B#)  G 
SklHomAo;  note  that  Aqe(a°)  0  A0  =  A0.  We  need  only  establish  that  OE(A*) 
is  a  skeleton  and  that  A  is  a  homomorphism. 

We  know  that  OE(A°)  is  a  preskeleton  by  Theorem  8.16.  To  prove  that 
OE(A°)  is  a  skeleton,  we  need  to  check  two  things:  first,  that  each  uniquely- 
originating  atom  originates  on  exactly  one  strand,  and  second,  that  the  node 
of  origination  precedes  each  other  node  that  carries  that  atom.  The  latter 
condition  is  guaranteed  because  all  such  instances  of  that  requirement  are 
ensured  to  be  in  the  ordering  after  applying  OE. 

Each  uniquely-originating  atom  originates  on  at  most  one  strand  in  A° 
since  NUO(A)  =  0.  To  prove  that  each  uniquely-originating  atom  orig¬ 
inates  on  at  least  one  strand,  we  appeal  to  the  fact  that  A*  has  strictly 
role-generated  unique  origination  assumptions  over  (Ag,Ao).  For  every  t  in 
I/f(Ao),  either: 

Case  1:  There  exists  a  t'  G  I/A°  such  that  t  =  cr0(t).  In  this  case,  because 
Aq  is  a  skeleton,  t'  must  originate  at  a  node  n  G  Aq.  Therefore,  t 
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originates  at  <po{n)‘,  this  point  of  origination  must  be  preserved  because 
it  is  preserved  under  an  extension,  namely  A  o  Ao- 

Case  2:  There  exists  a  strand  s  G  OE(A°)  with  Al(s)  =  (ps,as),  and  a  t'  E  UPs 
such  that  a s{t')  =  t,  such  that  t'  originates  in  CPs\ len(@0E(A°)(s))  at 
event  i.  Since  OE(A°)  is  a  preskeleton,  as(t)  originates  in  OE(A°)  at 
(s,i). 

Next  we  must  prove  that  A  is  a  homomorphism. 

First  we  prove  that  A  preserves  points  of  origination.  Let  t  G  £/oe(a°)  and 
let  n  be  a  point  of  origination  of  t  in  OE(A°).  There  are  two  cases.  Either: 

Case  1:  There  is  a  to  £  Ca0  and  a  point  no  G  A0  such  that  cro (to)  =  t  and 
to  originates  at  no  in  A0.  This  point  of  origination  must  be  preserved 
because  it  is  preserved  under  A  o  A0. 

Case  2:  Let  n  =  ( s,i ').  Then  Al(s)  =  (ps,as),  and  there  is  a  t'  G  UPs  such 
that  a s{t')  =  t  and  such  that  t'  originates  in  CPs  \  len(©A°(s))  at  event 
i.  Since  OE(A°)  is  a  preskeleton,  as(t)  originates  in  OE(A°)  at  (s,i), 
and  thus  %'  =  i.  Since  A  is  a  protomorphism  of  assignment-committed 
protoskeletons,  and  since  B*  is  a  preskeleton,  a(t)  must  originate  at 
node  (p(n). 

These  cases  are  exhaustive  since  A*  has  strictly  role-generated  unique 
origination  assumptions  over  (A0,  Ao),  and  thus  so  does  OE(A*)  since  it  only 
differs  from  A*  in  its  orderings. 

All  that  is  left  is  to  prove  that  A  is  a  structure-preserving  protomor¬ 
phism  from  OE(A°)  to  B°.  We  already  know  that  A  is  a  structure-preserving 
protomorphism  from  A°  to  B°,  because  we  know  ((A°,  Ao),  A,  B*)  G  SklA0. 
However,  OE(A°)  may  have  additional  orderings  and  we  must  prove  these 
are  preserved  under  A. 

Let  -<  refer  to  -<a°,  that  is,  -<  refers  to  the  ordering  before  order-enrichment. 
Let  -<oe  be  such  that  n  -<oe  n'  where  n,n'  G  OE(A°)  if  and  only  if  there 
is  a  t  G  f/oE(A°)  that  originates  at  n  and  is  carried  at  n!  ^  n.  Recall  that 
-<oe(a°)  is  the  transitive  closure  of  -<  U  -<oe-  Thus,  n  ^oe(a°)  n>  if  and 
only  if  we  can  define  a  sequence  n  =  no,  ni, . . . ,  rq  =  n!  such  that  for  every 
1  <  i  <  l,  rij_i  -<  n*  or  7ij_i  -<oe 

If  rij_ i  -<oe  there  is  a  term  originating  at  n,_i  in  f(A°)  that  is 
carried  at  rq.  Since  A  preserves  points  of  origination,  er(ij_ i)  G  U\ b,  cr(tj_i) 
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originates  at  </?(rij_i)  in  B,  and  is  carried  at  in  B.  Since  B  is  a  skeleton, 
(p(rii- 1)  -<b  <p(ni)-  Of  course,  if  n*_i  -<  rq  then  </?(rij_i)  -<b  </?(rq)  since  A  is 
structure  preserving  from  A°  to  B°.  So  we  have  that  (p(n)  =  (p(no)  -<b  •  •  •  -<b 
< p{ni )  =  (p(n')  and  so  (p(n)  -<b  T{n>)  because  -<b  is  transitive.  This  completes 
the  proof.  □ 

Now  we  can  prove  Lemma  10.15. 

Lemma  10.15  (Skeletonization  completeness).  Let  Aq  be  a  skeleton  and  let 

\  r  WFnffCA  A 

A°  be  a  preskeleton  such  that  Aq  — L  A°.  Then  (A°,  A0)  :  [SklAo  =P 

SklHomAo] 

Proof.  Let  Aq  be  a  skeleton  and  let  A°  be  a  preskeleton  such  that  Aq  A°, 
and  assume  ((A*,  A0),  fa,  B*)  G  SklAo. 

We  define  a  sequence  of  tuples  ((A*,  A*),  /4,  B*,  fj)  with  1  <  i  <  k  as 
follows: 

1.  A*  =  A*,Ai  =  \q,  pi  =  p.  Note  that  ((A*,  Ai),  pi,  B#)  G  SklAo.  We  do 
not  yet  define  fi;  nonetheless,  note  that  p\  =  p o(Afi_1(A°_ jo. .  ,oAfl(Ao)) 
for  i  —  1,  since  the  sequence  is  empty. 

2.  For  i  >  1,  if  NUO(Aj)  is  nonempty,  let  (L,nj,n')  be  UOI(A). 

We  know  that  ((A*,  L,  n,,  n',  A*),  Pi,  B*)  G  UrIAo.  By  Lemma  11.4 
that  there  is  an  fj  G  urii!niin/(A°)  and  a  pi+ 1  such  that 

((fj(A'),fj(fj),fj(nj),fj(n'),fj(Aj)),/rj+i,B*)  G  UrRAo  and  p  =  pt  o 

o  .  .  .  o  Afl(A0)). 

If  we  let  A*+1  =  fj(Aj)  and  Aj+i  =  Af,(A°)  o  \  then 

((A*+1,  Aj+i),  pi+i,  B#)  G  SklAo. 

3.  If  i  >  1  but  NUO(Aj)  is  empty  then  let  k  —  i  and  let  fj  =  Id. 

By  assuming  that  a  k  exists  we  are  effectively  assuming  that  this  part  of 
skeletonization  terminates  in  finitely  many  steps.  However,  it  clearly  must:  at 
every  step,  the  sum  of  the  heights  of  each  point  of  origination  of  a  uniquely 
originating  term  is  strictly  decreasing,  because  when  we  use  the  merging 
suite,  we  reduce  the  sum  by  the  height  of  one  of  the  origination  points  that 
merge,  and  when  we  use  the  deorigination  suite,  we  either  destroy  a  point 
of  origination  without  replacing  it,  or  we  replace  it  at  an  earlier  node  in  the 
same  strand. 
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Note  that  f*,  G  ut(A£)  since  NUO(Afe)  =  0.  Also  note  that  for  1  <  i  <  k,  if 
ffco. . . o fl+ ,  g  ur(A°+1)  then  ffco. .  .of*  g  ur(A°).  Therefore  let  g  =  f^o. .  .  g 
ut(A'j’)  =  ut(A°),  and  let  f  =  OE  o  g  g  6(A°).  Note  that  as  a  composition  of 
assignment-transforming  operators,  f  is  assignment-transforming. 

Note  that  we  already  know  that  ((g(A*),  Ag(Ao)  °  A0),//,B*)  G  SklUAo. 
Therefore,  ((f(A*),  Af(Ao)  °  A0),//,B#)  G  SklHomAo  by  Lemma  11.10. 

We  must  only  prove  that  (A°,f)  G  WF  fl  HCa0,\0 ■  f(A°)  is  clearly  a 
preskeleton  by  Theorem  8.16.  Also,  AqAo)  °  Ao  is  a  homomorphism  since 
((f(A’),  A), //',!•)  GSklHomAo. 

&WFnHCAoAo 

This  completes  the  proof  that  (A°,  A0)  :  [SklAo  =»  SklHomAo], 

□ 


12  Pre-Cohort  Completeness 

In  this  section  we  build  up  to  a  proof  of  Lemma  10.11. 

12.1  Preliminaries 

First,  some  definitions.  Earlier  we  defined  cohort  coverage  and  precohort  cov¬ 
erage,  which  were  defined  in  terms  of  a  protomorphism  to  a  realized  skeleton 
remove-equivalent  to  a  target.  In  two  of  the  main  lemmas  needed  to  prove 
Lemma  10.11,  we  get  factorization  of  the  homomorphism  to  the  same  target; 
we  only  need  that  flexibility  for  the  case  where  we  employ  listener  augmen¬ 
tation.  As  a  precursor  to  the  definitions  we  use  for  these  two  lemmas,  we 
first  define  direct  cohort  and  precohort  coverage. 

Definition  12.1  (Direct  coverage  context).  Let  the  direct  coverage  context 
Co  be  (Opr,  (PSkel*  x  PSkel°),  Act#)  where  Acto{  A,  g,  f)  —  fog. 

Definition  12.2  (Direct  cohort  coverage).  The  direct  cohort  coverage  prop¬ 
erty  DCoh  is  defined  with  respect  to  the  context  Co,  and  includes  the  set  of 
4-tuples  ((A*,  g),  A,  B*,  A'°)  such  that: 

•  DC1  A*  is  a  skeleton. 

•  DC2  B*  is  a  skeleton. 

•  DCS  A*  4  B\ 
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DC 4  g(A'°)  =  A°. 


Definition  12.3  (Direct  precohort  coverage).  The  direct  precohort  coverage 
property  DPCoh„iP  is  defined  with  respect  to  the  context  Cp,  and  includes  the 
set  of  4-tuples  ((A*,  g),  A,  B*,  A'°)  such  that: 

•  DPC1  A*  is  a  preskeleton. 

•  DC2  B*  is  a  skeleton. 

•  DPC3  A*  --->  B*,  where  X  is  structure-preserving. 

•  DC4  g(A'°)  =  A°. 

•  DPC5  A*  has  strictly  role- generated  unique  origination  assumptions 
over  (A'°,  A9(A/o)). 

•  DPC6.  For  all  X'  such  that  A  --->  C  B  with  X  =  A"  o  A',  p  is  weakly 
solved  in  J-c,tp'(n)  by  o’  where  X'  =  (</?',  cr'). 

The  three  main  lemmas  in  this  section  will  correspond  to  the  contraction, 
regular  augmentation,  and  listener  augmentation  suites.  In  each  case,  we 
will  state  the  lemma  as  a  suite  factoring  statement;  the  conditions  before 
will  be  more  specific  than  cohort  coverage  (or  direct  cohort  coverage)  and 
the  conditions  after  will  be  either  precohort  or  direct  precohort  coverage. 

12.2  Contractions 

For  the  contraction  case,  the  condition  that  guarantees  a  contraction  will 
work  is  the  following: 

Definition  12.4  (Direct  cohort  coverage  with  test  destroyed).  Let  A°  be  an 
unrealized  skeleton  and  let  ( n,p )  be  a  test.  Then  the  direct  cohort  coverage 
with  test  destroyed  coverage  property  DCohTDnp  is  defined  with  respect  to 
the  context  Cd,  and  includes  the  set  of  4-tuples  ((A*,  g),  A,  B*,  A'°)  such  that 
((A*,  g),  A,  B*,  A'°)  e  DCoh  and 

•  TD1  o(p)  visits  a(Esc(AAoin,  ep)),  where  (<p,o)  =  X. 

This  allows  us  to  state  and  prove  the  completeness  lemma  for  the  con¬ 
traction  suite. 
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Lemma  12.5  (Contraction  completeness).  Let  A°  be  an  unrealized  skeleton 

cHC 

and  let  ( n,p )  be  a  test.  Then  (A0,  Id)  :  [DCohTDnp  ==A-  DPCohn>p]. 

Proof.  Let  ((A*,  Id),  A,  B*,  A°)  G  DCohTDnp,  where  A  =  (tp,cr)  and  p  = 
(t,n).  Let  p'  =  (cr(t),  tt).  Since  we  know  p'  visits  a  (Esc  (IFa,  n,  ep)),;  unifies 
a  b  visited  by  p  and  an  a  in  Esc(jFA  n,  ep).  Therefore,  there  is  a  <To  G  UsgzA 
such  that  cr0  unifies  a  and  6,  and  such  that  cr  =  o'  o  <j0  for  some  cr',  and 
Sub^  e  cn>p.  Let  f  =  Sub^,  and  let  X  =  (p}ar). 

We  claim  that  ((f(A’),  f),  A',  B#,  A°)  e  DPCohn>p. 

1.  DPC1  is  guaranteed  by  Theorem  8.16. 

2.  DC2  is  known  since  ((A*,  Id),  A,B#,  A°)  e  DCohTDnp. 

3.  DPC3  Whether  A'  is  a  structure-preserving  protomorphism  or  not,  and 
whether  it  is  a  protomorphism  of  assignment-committed  protoskeletons 
or  not,  depends  only  on  its  strand  mapping,  p.  Since  A  is  a  homomor¬ 
phism,  it  has  these  properties  and  thus  so  does  A'. 

4.  DC4  is  obvious. 

5.  DPC5  Since  f/f(A)  =  U&,  all  unique  origination  assumptions  are  directly 
inherited,  so  this  condition  is  met. 

6.  DPC6  Note  that  since  cq  unifies  a  and  b ,  it  is  immediately  clear  that 
(cr0(f),7r)  visits  ct0(Esc(J:a;„,  ep)).  By  Remark  9.14,  this  remains  true 
under  any  extension. 

We  need  only  prove  that  A°  — ff->  f(A).  It  is  obvious  that  Af(A)  is 
structure-preserving,  and  by  Lemma  7.25,  since  A  preserves  points  of  origi¬ 
nation,  so  does  Af(A). 

□ 


12.3  Listener  Augmentation 

Next,  we  address  the  case  of  listener  augmentation.  For  this  suite,  we  cannot 
make  use  of  direct  versions  of  our  coverage  properties,  because  if  we  add  a 
listener  but  no  corresponding  listener  is  present  in  B,  there  is  no  homomor¬ 
phism.  Rather,  we  find  a  proper  place  to  add  a  listener  to  B. 
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Definition  12.6  (Cohort  coverage  with  certain  values  derivable).  Let  A° 
be  a  skeleton  and  let  ( n,p )  be  a  test  and  let  ep  be  the  endpoint  of  p.  The 
cohort  coverage  with  certain  values  derivable  coverage  property  CohCVDnp 
is  defined  with  respect  to  the  context  Cm,  and  includes  the  set  of  f-tuples 
((A*,  g),  A,  B°,  A'°)  in  Coh  such  that 

•  CVD.  Let  A  =  (p,a).  Then  either: 

—  EL.  There  exists  {|c|}u  G  Esc(jFA  n,  ep)  such  that  inv(<7(w))  G  S?w 
~  CL.  ep  =  {|c|}u  and  a(u)  G  <%^(n). 

Lemma  12.7  (Listener  augmentation  completeness).  Let  A°  be  an  unrealized 

[HC 

skeleton  and  let  fn,p)  be  a  test.  Then  (A°,  Id)  :  [CohCVDnp  ===>  PCohnjP]. 

Proof.  Let  ((A*.  Id),  A,  B°,  A°)  be  in  CohCVDnp  with  A  =  (<p,a).  Let  B'* 
satisfy  condition  C3.  There  are  two  cases:  either  EL  holds  or  CL  holds.  Let 
s*  be  NAME  (A).  Let  s' *  £  Iw. 

If  condition  EL  holds  for  {|c|}n  G  EscjFA  n,ep  then  let  f  =  Augn  lsn  2  a*  s* 
where  a*  maps  the  m  in  the  listener  role  to  inv(u).  Note  that  f  G  eslr)jP(A°). 
In  this  case,  let  t  =  inv(w).  Note  that  aft)  G  because 

cr(inv(tt))  =  inv(cr(u))  as  u  is  not  a  variable  of  sort  MESG. 

If  condition  CL  holds  then  let  f  =  Augn  £  s*  where  a*  maps  the  m  in 
the  listener  role  to  u.  Note  that  f  G  cp[np(A°).  In  this  case,  let  t  =  u.  Note 
that  a(t)  G  St  ,  by  condition  CL. 

Either  way,  note  that  f  G  ln;P(A°).  Let  A'  =  (tpfa)  where  —  p  on 
all  strands  in  A*  and  p'(s*)  =  s'*.  Let  f'  =  o  Aug^^  ^^^oo-*^'*, 

where  Fn>n/  is  a  (non-primitive)  operator  that  forces  all  transmissions  before 
n  to  be  before  n'.  Formally,  Fnj„/(A,  A)  =  ((/A,  ©A,  iVA,  U/f),A)  where  A 
is  the  transitive  closure  of  -<A  U  -<ny  where  n i  -<ny  n!  whenever  n\  is  a 
transmission  node  such  that  ri\  -<A  n. 

We  claim  that  ((f(A*),  f),  A',  B°,  A°)  G  PCohnjP,  with  f^B7*)  satisfying 
condition  P3. 

•  PI.  We  know  f(A*)  is  a  preskeleton  by  Theorem  8.16. 

•  P2.  B°  is  a  realized  skeleton  because  ((A*,  (Id)),  A,  B°,  A°)  G  Coh. 

•  P3.  To  see  that  f/(B,#)  is  a  skeleton,  we  need  to  establish  that  the  nodes 
in  s'*  are  ordered  after  all  the  points  of  origination  of  any  uniquely- 
originating  atoms  they  carry.  However,  we  know  that  aft)  G  D(Pw,<p(n)) 
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and  thus  every  uniquely-originating  atom  carried  by  a(t)  is  also  carried 
by  a  transmission  prior  to  n  in  B7.  Since  B7  is  a  skeleton,  the  origination 
point  of  that  atom  is  before  that  transmission,  and  that  transmission  is 
before  both  nodes  in  the  new  listener  in  f7(B7*).  The  only  reception  in 
f7(B7*)  not  in  B*  is  the  reception  in  the  listener  strand  s'*,  of  cr(t),  and 
a{t)  G  D(Pv^n')).  Since  -Pp(B'),(s'*,i)  =  Pw,<p’{n)i  &(t)  G  -D(-^f'(B,)>(s,M)), 
so  the  additional  reception  is  realized,  and  all  other  receptions  in  f7(B7) 
are  realized  because  they  are  realized  in  B7.  Therefore,  B7*  is  realized. 

It  should  be  obvious  that  B7°  =  f7(B7°)  and  thus  B°  =  f7(B7°). 

y 

It  should  be  clear  that  A7  is  a  protomorphism  f(A*)  — ■»  f7(B7*);  the 
only  role  not  known  to  be  preserved  by  the  fact  that  A  is  assignment¬ 
preserving  is  the  role  of  s*  which  is  Isn  in  both  f(A*)  and  f7(B7*).  A7 
is  structure- preserving:  if  n\  -<  n-z  in  f(A*)  there  are  two  possibilities. 
The  first  is  that  n\,ri2  G  A*  in  which  case,  A7  maps  both  ri\  and  riz 
just  as  A  does,  and  since  A  is  structure-preserving,  tp'(rii)  -<b'  <p'{n 2) 
so  </?7(ni)  </?7(n2).  The  other  is  that  ri\  is  in  the  strand  s*  and 

n  -<  n-2 ■  But  then  <p'(ni )  is  in  the  strand  s *  and  since  n,  712  G  A*, 
< p'{n )  -<f/(B')  ip\ri2),  and  since  by  the  operation  of  Aug,  <^7(n  1) 

937(n),  we  have  that  Lp\n  1)  -<c(b')  <^'(712) . 

•  P4  is  obvious. 

•  P5  is  true  because  since  £  has  no  uniquely  originating  atoms,  t/f(A)  = 

UA. 

•  P6  Since  t  is  in  St,,.,  ,  we  meet  either  condition  Sol3  or  Sold  of  Defi- 

J  f(A),n  7 

nition  5.5.  By  Remark  9.14  this  remains  true  in  any  extension. 

Furthermore,  A|Rmv(Ao)  =  (A7  o  Af(A))|Rmv(A0)  because  Af(A)|Rmv(A°)  is  the 
identity  and  A7  is  the  same  as  A  on  all  strands  in  A. 

We  need  only  prove  that  A°  — —  >  f(A).  It  is  obvious  that  Af(A)  is 
structure-preserving.  Since  AqA)  is  the  identity  homomorphism  on  the  al¬ 
gebra,  it  preserves  points  of  origination. 

Thus,  (A°,  Id)  :  [CohCVDn>p  PCohn>p].  □ 
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12.4  Regular  Augmentation 

Third,  we  address  the  case  of  regular  augmentation.  Here,  we  can  use  the 
direct  form  of  coverage  again,  but  this  time  we  make  very  strong  assumptions 
about  B. 

Definition  12.8  (Direct  cohort  coverage  with  good  augmentation  candi¬ 
date).  Let  A°  be  an  unrealized  skeleton  and  let  ( n,p )  be  a  test.  Then  the  di¬ 
rect  cohort  coverage  with  good  augmentation  candidate  property  DCohGACnj, 
is  defined  with  respect  to  the  context  Co,  and  includes  the  set  of  4-tuples 
((A*,  g),  A,  B*,  A'°)  with  X  =  (</?,  a)  such  that  ((A*,  g),  A,  B*,  A'°)  e  DCoh  and 
there  exists  a  strand  sb  in  1b  and  a  4-tuple  ( p,i,TT,tt )  with  p  a  protocol  role, 
i  <  \CP\  with  event  i  in  Cp  being  a  transmission,  (Cp(i),  tt)  is  a  carried  path 
ending  at  a  variable,  and  tt  e  Targ(Esc(jFA  n,  ep),  ep)  with  (fit, Trtt)  a  carried 
path  ending  at  ep  such  that: 

•  WFC1.  If  the  endpoint  of  ( Cp[i ),  tt)  is  not  a  variable  of  sort  MESG  then 
tt  =  ep. 

•  FC1.  sb  is  associated  with  role  p  in  B%  and  |@b(sb)|  >  i- 

•  FC2.  (sB,i)  -<b 

•  FC3.  The  endpoint  of  (msgM(sA,  i),  tt)  is  cr (fit). 

•  WFC2.  For  all  i'  <  i,  for  all  carried  paths  p 1  =  (msgM(sM,i'),TT')  with 
endpoint  cr(ep),  p'  visits  o^Esc^a^,  ep)). 

•  WFC3.  Either: 

—  WFCSa.  The  path  (msg^SAfi),^^)  does  not  visit  cr(Esc(iFA,n,ep)) , 
or 

—  WFCSb.  There  is  a  prefix  tt'  of  tt  ~  tt11  such  that  (msgn(sn,i),Tr') 
traverses  a  term  in  Esc(^rB,^(n),  cr(ep))  and  the  endpoint  of 
( msgB(sA,i),TT ')  is  not  in  a(Targ(Esc(lrA,n,  ep),  ep)). 

A  note  on  the  naming  of  these  conditions:  WFC  stands  for  “well-formed 
candidate.”  These  are  the  conditions  that  guarantee  that  our  candidate 
augmentation  will  be  in  the  aTl:P  suite.  FC  stands  for  “factoring  candidate.” 
These  conditions  guarantee  that  the  candidate  augmentation  results  in  a 
factoring  of  the  coverage  we  care  about. 


Lemma  12.9  (Regular  augmentation  completeness).  Let  A°  be  an  unrealized 
skeleton  and  let  ( n,p )  be  a  test.  Then  (A°,  Id)  :  [DCohGAC,,^  — =^»-  PCoh,tiP]. 

Proof.  Suppose  ((A*,  Id),  A,  B*,  A°)  is  in  DCohGACnp,  with  s®,  p,  i,ir,tt  as 
specified  in  the  definition.  Let  s *  =  NAME(A). 

Note  that  the  endpoint  of  (Cp(i),  7r)  is  a  variable  v.  There  is  a  unique 
most  general  unifier  of  FR(A,  p,  i)(v)  with  tt,  call  it  <j0.  Let  A'*  = 
hugn,p,i,<r0oFR(A,p,i),NAME(A)(A')-  We  extend  A  =  (<p,cr)  to  a  map  (<p‘,  a') 
from  A'*  to  B*  as  follows:  p'  =  p  on  all  strands  other  than  NAME  (A), 
and  p' (N AM E (A))  =  sb-  Since  sb  is  an  instance  of  role  p,  p'  preserves  role 
associations.  Let  o'  —  a  on  all  variables  occurring  in  A.  The  only  variables 
occurring  in  A'  that  do  not  occur  in  A  are  the  variables  FC( A,  p,  i)(v')  for  v1  a 
variable  occurring  in  Cp\i  other  than  v’  =  v.  a'(FC(A,  p,  i)(v'))  =  cre(SB)(t/). 

Thus  we  have  A/#  BV 

Note,  by  WFC2,  that  a'  is  a  map  such  that  for  all  i'  <  i,  for  all  carried 
paths  p'  G  CarPath(C'(f/))  such  that  the  endpoint  of  cr'((a0  oFR(A,  p,  i))(p')) 
is  cr'(ep),  p'  visits  or'(Esc(AA)n,  ep)).  Let  ui  be  a  most  general  map  with  this 
property  more  general  than  cr',  so  that  a’  =  a"  o  <j\ . 

Then  f  =  SubCT1  o  Aug n,pMooFR(A,P,i),NAME(Ap  we  claim  that  f  G  on,p(A). 
Observe: 

•  Cp{i)  is  assumed  to  be  a  send  event  in  Definition  12.8. 

•  If  pp  =  (Cp(i),  7r)  then  the  endpoint  of  pp  is  a  variable  v,  and  if  that 
variable  is  not  of  sort  MESG  then  tt  =  ep,  by  condition  WFC1. 

•  do  is  the  most  general  unifier  of  tt  with  v,  and  thus  So  =  {<r0}  so  in 
particular  <r0  G  S0. 

•  <j\  is  a  most  general  map  such  that  for  all  i’  <  i  and  for  all  carried 
paths  p'  G  CarPath(C'(i/)),  if  the  endpoint  of  (Ti((<to  o  FR(A,  p,i)){p')) 
is  ai(ep)  then  <Ji(p')  visits  an  element  of  <r1(Esc(jFAjn,  ep)). 

Let  A'  =  ( <p',<T ").  We  claim  that  ((f(A*),f),  A',B#,  A°)  G  DPCohnp. 

•  DPC1  holds  by  Theorem  8.16. 

•  DC2  is  already  known  to  be  true. 
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•  We  know  f(A*)  --->  B*.  To  see  that  A'  is  structure-preserving,  note 

that  this  property  depends  only  on  p' ,  and  that  p'  =  p  for  all  nodes 
other  than  those  in  NAME  (A).  To  see  that  tp'  is  structure-preserving, 
we  need  only  establish  that  it  is  structure-preserving  for  orderings  of 
the  form  ri\  -<  n 2  with  ri\  in  the  strand  NAME  (A).  Either  712  is  also 
in  that  strand,  in  which  case  p'{n  1)  -<  p'{n-i)  by  the  inclusion  of  the 
strand  succession  relation,  or  712  is  not  in  that  strand  and  n  -<  n2 • 
But  -<  <p(n)  so  by  the  structure-preserving  property  of  p  and 

transitivity,  p'{n\)  -<b  p'{n 2).  This  establishes  DPC3. 

•  DC4  is  obvious. 

•  DPC5  is  guaranteed,  because  f  adds  to  Ua  only  where  required  to  by 

Aug 

n, p,i, cro° FR(A,p,i),N AM E (A)  * 

•  DPC6  is  the  most  complicated  to  prove. 

If  WFC3a  holds,  then  condition  Sol2  applies  in  both  f(A*)  and  B*,  so 
it  must  apply  in  any  intermediate  factorization  by  Remark  9.15. 

If  WFC3b  holds,  then  condition  Sol5  applies  in  B*;  the  fact 
that  (ms<7B(sa, i), 7 r7)  traverses  rather  than  visits  the  escape  set 
establishes  that  the  new  potential  target  term  is  a  proper  car¬ 
ried  substring  of  an  escape  set  member.  Sol5  applies  in  f(A*), 
because  (msgfrA)(N AME(A),i),n  "  7r a )  is  a  carried  path  ending 
at  t'  and  thus  must  have  some  maximal  decryptable  subpath 
(msgf,A)(NAME( A),i),7r").  Furthermore,  (msgB(sB,  i),  7rw)  must  be 
decryptable.  Since  (msgM(sB,  i),  7r')  traverses  the  maximal  decryptable 
subpath  of  (msgM(sB,  i),  tt  ^  ntt),  so  does  (msgf^(NAME( A),i),7r'). 
Therefore,  Sol5  must  apply  in  any  intermediate  factorization  by  Re¬ 
mark  9.15. 

Af  (A) 

We  need  only  prove  that  A°  - >  f(A).  It  is  obvious  that  Af(A)  is 

structure-preserving,  and  by  Lemma  7.25,  since  A  preserves  points  of  origi¬ 
nation,  so  does  Af(A). 

□ 

12.5  Exhaustivity  of  the  Cases 

In  this  section  we  prove  that  cohort  coverage  implies  one  of  the  three  critical 
coverage  properties  used  in  lemmas  12.5,  12.7,  and  12.9. 
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The  proof  intimiately  deals  with  the  four  conditions  for  a  test  being 
solved.  Let  A  be  an  unrealized  skeleton  with  test  (n,p)  and  let  B  be  a 
realized  skeleton  with  A  B.  The  fonr  conditions  (from  Definition  5.5) 
are: 


•  Soli,  a {jp)  visits  (r(Esc(jFA  n,  ep)). 

•  Sol2.  There  is  a  carried  path  from  an  element  of  Tjr.  n  to  cr(ep)  which 
does  not  visit  cr(Esc(^-A,n,  ep)). 

•  Sol3.  There  exists  a  {|5|}u  G  Esc(jFA  n,  ep)  such  that  cr (inv(w))  G  <Sj fb  (n). 

•  Sold.  ep  =  {|5|}u  and  a(u)  £  S^Mn). 

First  we  state  and  prove  the  top-level  proof,  assuming  a  lemma  we  will 
prove  later. 

Lemma  12.10  (Case  exhaustivity).  Let  A°  be  an  unrealized  skeleton  with 
test  ( n,p ),  and  let  ((A*.  Id),  A,  B°,  A°)  G  Coh,  with  B,#  satisfying  condition 
C3.  Then  one  of  the  following  holds: 

1.  ((A’,ld),A,B'’,A°)  G  DCohTDnp, 

2.  ((A*,  Id),  A,B'*,  A°)  G  DCohGACn)P;  or 

3.  ((A*,  Id),  A,  B°,  A°)  G  CohCVDniP. 

Proof.  The  main  observation  is  that  since  a(p)  is  not  a  critical  path  in  B  at 
<p(n)  (where  A  =  (<p,  a)),  by  Theorem  5.6,  p  is  solved  in  by  a. 

Note  that  Soil  is  just  the  same  as  TD1,  so  in  that  case,  ((A*,  Id),  A,  B,#,  A°)  G 

DCohTDnp. 

Note  also  that  Sol3  is  the  same  as  EL  (since  a(inv(w))  =  inv(cr(u))),  and 
Sold  is  the  same  as  CL,  so  in  either  of  those  two  cases,  ((A*,  Id),  A,  B°,  A°)  G 
CohCVDniP. 

By  Lemma  12.13,  if  neither  of  the  two  cases  above  apply,  then  there  exists 
a  good  augmentation  candidate  (p,  i,  i r,  tt)  and  a  target  strand  %/.  Therefore, 
((A*,  Id),  A,  B/#,  A°)  G  DCohGACn,p.  □ 

Before  we  state  and  prove  our  lemma  guaranteeing  the  existance  of  a 
good  augmentation  candidate,  we  state  and  prove  two  lemmas  that  will  be 
helpful. 
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Lemma  12.11  (Image  of  the  escape  set  without  Sol3).  Let  A  be  an  unrealized 
protoskeleton  with  test  ( n,p )  and  let  B  be  a  protoskeleton  such  that  A  --- ►  B, 
and  suppose  that  Sold  does  not  hold.  Then  we  have  that  <r(Esc(.pA,n,  ep))  C 
Esc(jFBjV3(n)  ,  a(ep) ) . 


Proof.  Let  t  G  Ese(Py 
or  t  is  a  term  in  Fr(Pjr 


,m  &p)  • 


Then  either  t  =  ep  and  ep 


’A,! 


that  carries  e 


p- 


First  we  observe  that  ^(Cl1  (Pfa„,  SrKn))  C  Cb(Pj 


■A 


G  Cb(PjrA  n, 

which 


B,y>(n)  ) 


takes  care  of  the  former  case.  In  the  latter  case,  we  also  need  to  show  that 
t  is  not  the  endpoint  of  a  path  that  is  the  proper  prefix  of  another  carried 
path  in  the  downward  closure.  However  since  we  know  that  in  such  a  case  t 
is  an  encryption  {|5|}u,  we  know  that  cr(inv(w))  f  Sjrp  ,n)  because  Sol3  does 
not  hold.  Therefore,  aft)  is  in  the  frontier.  □ 


Lemma  12.12  (Critical  derivability  property  preserved  without  Sol4).  Let  A 
be  an  unrealized  protoskeleton  with  test  (■ n ,  p)  and  let  B  be  a  realized  skeleton 
such  that  A*  B*;  and  suppose  that  Solf  does  not  hold.  Then  of  n'  -<  (p(n) 
is  any  reception  node  in  B  and  p'  is  any  carried  path  from  msgBfn')  to  a{ep), 
p'  visits  Esc(PTvn,,STaMn),a(ep)). 

Proof.  Since  B  is  realized  we  know  that  msgBfn')  G  D(P^Mn,,S^Bnl).  A 
weaker  constraint  is  that  msgM(n')  G  P>(P:fb  (n)).  By  Proposi¬ 

tion  4.7,  p'  must  not  be  a  critical  path.  Since  Sol4  does  not  hold,  if 
ep  is  an  encryption  {|5|}u  we  know  that  a(u)  f  {n).  Therefore,  ei¬ 
ther  a(ep)  G  Cl liP^n,,STBMn))  or  p  visits  Fr(P^;, 5^(n)).  In  the  for¬ 
mer  case,  aep  G  Esc {Pran,iSjra  a (ep))  and  thus  in  either  case  p  visits 
Esc(-Pjfb  a(ep)).’ 

□ 


Lemma  12.13  (Existence  of  a  good  augmentation  candidate).  Let  A*  be 
an  unrealized  skeleton  and  let  B*  be  a  realized  skeleton  with  A*  B#  with 
A  =  (</?,  a).  Let  Sol2  hold,  but  let  neither  Sold  nor  Solf  hold. 

Then  there  exists  a  sB  and  a  4-tuple  ( p ,  i,  n,  tt)  such  that  conditions  WFC1, 
WFC2,  WFC3,  FC1,  FC2,  and  FC3  are  satisfied. 

Proof.  We  will  show  that  if  Sol2  and  neither  Sol3  nor  Sol4,  then 
((A*,  Id),  A,  B/#,  A°)  G  DCohGACnp,  however  this  is  far  from  straightfor¬ 
ward.  In  brief,  the  problem  is  that  while  Sol2  establishes  that  there  is  some 
transmission  outside  the  escape  set,  that  does  not  make  that  transmission 
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a  candidate  for  augmentation  now.  What  we  need  to  find  is  a  transmission 
outside  the  escape  set  that  can  serve  as  a  “transforming  node”  from  the 
current  escape  set:  a  first  new  transmission. 

Let  t  =  ep  and  let  t'  =  cr(t).  Let  E  =  Esc(jFA  n,  t)  and  let  E'  =  cr(E).  We 
define  a  sequence  of  tuples  (Tj,  ti,  7q,  7t',  nf)  for  0  <  i  <  k  with  the  following 
properties: 

1.  For  i  >  0,  Ti  —  E' \  {ti, . . . ,  U},  and  U  G  i . 

2.  For  i  >  0,  7T-  is  a  prefix  of  7T*. 

3.  ( ti ,  7Tj)  is  a  carried  path  that  ends  at  If,  and  for  i  >  0,  the  endpoint  of 
(ti,  7r')  is  not  in  cr(Targ(.E,  t)). 

4.  For  all  i  >  0,  nt  -<  < p(n ). 

5.  There  is  a  carried  path  from  msgM(rii)  ending  at  t'  that  does  not  visit 
T 

Note  that  because  E'  is  finite,  only  a  finite  sequence  can  satisfy  property 

1. 

To  define  the  sequence,  we  let  T0  =  E' .  Since  Sol2  holds  we  know  there  is 
a  carried  path  from  an  element  of  T?kn  to  t!  that  does  not  visit  T0;  let  no  be 
a  any  node  transmitting  such  an  element,  let  to  —  t',  and  let  7T0  =  n'0  =  (). 
Note  that  no  ^  < p(n )  because  (p(n)  is  a  reception.  Note  that  properties  1,  2, 
and  the  latter  part  of  3  are  trivial  for  i  =  0,  and  properties  4  and  5  and  the 
first  part  of  3  are  easily  observed  to  be  true  for  i  =  0. 

Let  n't  be  a  minimal  node  such  that  msgM(n'i )  contains  a  carried  path 
ending  at  if  that  does  not  visit  Tt. 

Claim,  1.  Node  rf  must  contain  a  transmission  event. 

Proof  of  Claim  1.  If  n-  is  a  reception  then  since  IB  is  realized  and  Sol4  does 
not  hold,  by  Lemma  12.12,  all  carried  paths  ending  at  t'  in  msgM(n'i )  must 
visit  Esc (P^Mn,  ,SjrB  t').  Since  there  is  a  path  ending  at  tf  in  msg^n'f) 
that  does  not  visit  T*,  we  must  conclude  that  the  first  element,  e,  of 
Esc (n),t')  visited  by  that  path  is  not  in  Tt,  and  that  e  contains 

a  carried  path  ending  at  tf  that  does  not  visit  T%.  However,  e  can  only  be  in 
Esc (P^  n,  ,Sj?M{fi(n),t')  if  an  earlier  node  n!  transmitted  a  term  with  a  carried 
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path  q  visiting  e,  such  that  q  does  not  visit  Tj  after  it  visits  e,  and  such  that 
every  plaintext  edge  q  traverses  before  e  is  one  for  which  the  inverse  key  is 
in  St  ,  , .  If  q  visits  T  it  must  do  so  before  it  visits  e,  but  then  it  would 
visit  Ti  at  a  term  cr({|6[}u)  for  which  inv(w)  G  S Since  Sol3  does  not 
hold  this  cannot  happen,  so  n'  is  an  earlier  node  than  n)  such  that  msgB(n') 
contains  a  carried  path  ending  at  t'  that  does  not  visit  Tj. 

□ 


Define  a  carried  path  p,  =  (mspB  («,'),  aj)  to  t'  as  follows: 

1.  If  there  is  a  carried  path  from  msgB(n'i)  to  t'  that  does  not  visit  E\  let 
Pi  be  such  a  path. 

2.  If  there  is  a  carried  path  from  msgBjn'j)  to  t?  that  visits  E'  but  does 
not  visit  Tj,  it  must  visit  E'  at  a  point  tj  for  1  <  j  <  i.  Let  at  be  such 
that  Pi  visits  tj  and  such  that  7 Tj  is  a  suffix  of  at. 

Let  n'i  =  ( Si ,  hi)  and  let  pi  be  the  role  associated  with  ,7  in  B.  Let  (3i 
be  the  maximal  prefix  of  cq  such  that  (CPi(/ij),  Pj)  is  well-defined.  There  are 
three  cases. 

1.  If  / 3j  =  «j  then  let  tt  —  t  and  terminate  the  sequence,  that  is,  set  k  =  i. 
Otherwise,  (CPi(hi),  fa)  ends  at  a  variable  rnt  of  sort  MESG. 

2.  If  (msg^n'i) ,  /3i)  ends  at  an  element  of  <v(Targ(T,  t  j).  let  tt  e  Targ(T,  t) 
such  that  <r(tt)  is  the  endpoint  of  (msgB(n'),  Pi)  and  set  k  =  i. 

3.  Otherwise,  (ms<7B(n') ,  pj)  ends  at  a  non-element  of  cr(Targ(T,  tj).  Be¬ 
cause  pi  meets  condition  3  of  Definition  6.1,  mt  must  be  acquired  in  pj. 
Let  hj  be  the  node  at  which  mj  first  occurs  in  CPi,  and  let  ( CPi{h!j)^i ) 
be  a  carried  path  ending  at  mj.  Note  that  h[  <  hi.  Let  n"  =  (s^h'j), 
and  note  that  nj  -<  n'i  -<  n j.  Since  ori?(Si)(mj)  is  both  the  endpoint 
of  (msgn(n'i),  Pi)  and  the  endpoint  of  (msgn(rii),  jj),  we  may  conclude 
that  qt  =  (msgn(ni) , 'ji ~  («j  —  pjj)  is  a  carried  path  ending  at  t'.  By  the 
minimality  of  nj  q.i  visits  Tp  let  Si  be  the  largest  prefix  of  (7 i^cq  — A)) 
such  that  msgn(n")  @  Si  =  ti+ 1  e  Tj. 

Note  that  if  7 j  is  a  prefix  of  Si,  then  crB(s.)(mj)@(5j  —  7j)  G  Tj  and  there¬ 
fore,  pi  visits  Tj,  which  contradicts  our  earlier  assumption.  Therefore, 
Si  is  a  proper  prefix  of  7 j. 
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Let  7r'+1  =  (7*  -  <5j).  Let  iri+1  =  7r'+i  ~  (a*  -  A)-  Let  Ti+1  =  E'  \ 
{fi, . . . ,  £*+i}.  Since  Sol3  does  not  hold,  by  Lemma  12.11  we  know 
that  ti- |-i  G  Tj  EE'  C  Esc(JrB,¥>(n) AO-  Since  we  know  £*+i  A  L+i 
must  be  in  Fr(PjrB  (n),  Afb  (n)).  Therefore,  £*+i  must  be  the  endpoint 
of  a  maximal  5 j?B  ^  f  n .  -  decrypt  ab  le  path  beginning  at  an  element  £*  of 
Pfb  .  Since  t*  cannot  be  an  atom,  a  variable  or  sort  MESG,  or  a  tag, 
£*  must  be  a  transmission,  and  therefore  there  is  a  node  n*+i  -<  (p(n) 
that  transmits  £*. 


Claim  2.  When  we  are  in  case  3  above,  (Ti+i,  ti+i,  77+1,  7r'+i,  ni+i)  satisfy 
properties  1-5. 

Proof  of  Claim  2.  Consider  the  properties  one  at  a  time. 


1.  We  chose  Ti+i  —  E'  \  {ti, ... ,  £*+i},  and  chose  £*+ 1  G  Tt. 

2.  ffere,  77+ 1  was  explicitly  described  as  an  extension  of  7r'+i,  so  this  is 
obvious. 


3.  First,  note  that  (£*+1,77+1)  is  a  carried  path,  since  it  is  a  subpath  of 
(msg skeiB(n") ,  (St  ~  (a*  —  A))),  which  we  know  is  a  carried  path.  Also, 
(£*+1,77+1)  ends  at  £': 


£*+l  @  7T*+i 


(™%(n")  @  Si)  @  ((7 i  -  ~  (a*  -  A)) 

(ni)  @  ~  (7 i  -  ~  (a*  -  A)) 

msgB(rii)  @  (7*  ~  (a*  -  A)) 

o’Bisi^rrii)  @  (a*  -  A) 
msgB(n'f)  @  (A  ~  (a*  -  A)) 

£' 


The  endpoint  of  (£*+i,  7r'+1)  =  msg^n'f)  @  A ,  which  we  know  is  not  an 
element  of  cr(Targ(P,  £))  since  we  are  in  case  3. 

4.  We  have  already  noted  that  nl  -<  < p(n ). 

5.  There  is  a  carried  path  from  msg^fnf)  ending  at  t'  that  does  not  visit 
Ti,  namely  the  one  whose  maximal  decryptable  subpath  is  £*. 
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□ 

Now  we  prove  that,  {pk,  hk,  Pk ,  tt)  is  a  good  augmentation  candidate  with 
sB  =  sk  and  ntt  =  (ak  -  Pk)- 

•  WFC1.  If  the  endpoint  of  {CPk{hk),  Pk)  is  not  a  variable  of  sort  MESG 
then  either  tt  =  t  or  ( msgM{n '),  ak)  would  not  be  a  carried  path. 

•  FC1  is  obvious. 

•  FC2.  n'k  =  (sb,  hk)  -<  <p(n)  by  property  5  of  our  sequence. 

•  FC3  is  true  by  construction  in  the  latter  case;  when  ak  =  Pk,  the 
endpoint  is  t'  =  aft)  =  a{tt). 

•  WFC2  is  guaranteed  by  the  minimality  of  n'k. 

•  WFC3.  Note  that  {tt,  irtt )  is  a  carried  path  ending  at  t.  Note  further 
that  ( msgM{n'k ),  (pk)  (ak  -  Pk))  =  Pk-  Thus,  if  pk  does  not  visit  E’ , 
we  meet  WFC3a. 

Otherwise,  pk  visits  some  t3,  and  7 Tj  is  a  suffix  of  ak,  so  we  can  write 
ak  =  a'k  "  7 Tj.  Let  tt'  =  a'k  7 r'.  We  know  that  {msgM{n'k),  tt')  traverses 
E'  since  it  visits  tj  €  E',  and  by  Lemma  12.11,  ( msgM{n'k ),  tt')  traverses 
Esc(jFBj¥,(n),  t').  We  also  know,  by  property  3  of  our  sequence,  that  the 
endpoint  of  {msgB{n'k),  i d),  which  is  the  same  as  the  endpoint  of  {tj,  7 r'), 
is  not  in  cr(Targ(FJ,  t)),  so  we  meet  WFC3b. 

This  completes  the  proof  of  Lemma  12.13.  □ 

12.6  Proof  of  Lemma  10.11 

Lemma  10.11.  (Pre-cohort  completeness)  Let  A°  be  an  unrealized  skeleton 

QlP  Pn,p 

and  let  ( n,p )  be  any  test  of  A°.  Then  (A°,  Id)  :  [Coh  *  >  PCohn;J. 

Proof.  Suppose  ((A*,  Id),  A,  B°,A°)  e  Coh,  with  B7*  satisfying  condition  C3. 
By  Lemma  12.10,  one  of  the  following  three  cases  applies: 

1.  ((A*,  Id),  A,  B,#,  A°)  G  DCohTDn,p. 

In  this  case,  by  Lemma  12.5,  there  exists  an  f  e  cr))P(A°)  C  3pnp  and  a 
A7  such  that  ((f(A*),f),  A7,  B7*,  A°)  e  DPCoh„,p. 
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2.  ((A*,  Id),  A,  B,#,  A°)  G  DCohGACn,p,  or 

In  this  case,  by  Lemma  12.9,  there  exists  an  f  G  an.p(A°)  c  tyn,p  and  a 
A'  such  that  ((f(A*),  f),  A',  B,#,  A°)  G  DPCoh„iP. 

In  either  case  1  or  case  2,  we  have  f  G  ^n,p  and  a  X'  such  that 
((f(A,),f),A',B/#,A°)  G  DPCohn,p.  Therefore,  ((f(A'),  f),  A',  B°,  A0)  G 
PCohnp  with  B,#  satisfying  condition  P3. 

3.  ((A*,  Id),  A,  B°,  A°)  G  CohCVDnjP. 

In  this  case,  by  Lemma  12.9,  there  exists  an  f  G  [„iP(A°)  C  tyn,p  and  a 
A'  such  that  ((f(A*),  f),  A',  B°,  A°)  G  PCohniP. 

We  need  only  prove  that  (A°,f)  G  PPn,P  to  complete  the  theorem.  We 
know  that  f(A°)  is  a  preskeleton  by  Theorem  8.16.  We  also  know  that 
(A°,f)  G  SFnp  by  property  P6,  with  f(A)  itself  as  the  intermediate  fac¬ 
toring.  Finally,  all  three  of  the  lemmas  established  that  (A°,f)  G  HC.  This 
completes  the  proof.  □ 

13  Enumerability 

In  this  section,  we  go  beyond  the  concept  of  completeness  and  show  that 
CPSA  enumerates  covering  realized  skeletons. 

Theorem  13.1  (cpsa  enumerates).  For  all  (A',  A)  G  [A°],  there  exists  an 
n  >  0  such  that  if  S  is  the  set  of  skeletons  CPSA  produces  after  n  setwise 

y 

reduction  operations,  there  is  a  realized  B/0  G  S  and  a  homomorphism  A°  — > 
B°  such  that  (A',  A")  G  [B°]  and  A  =  A"  o  (A'|Rmv(A°)). 

To  accomplish  this  cleanly,  we  need  to  modify  the  CPSA  algorithm  slightly. 
Our  approach  to  proving  enumerability  is  to  prove  that  CPSA  maintains  a 
nodewise-injective  map  to  the  desired  target  through  the  cohort  complete¬ 
ness  arguments.  However,  to  ensure  that  we  have  a  nodewise-injective  map 
initially,  we  must  modify  CPSA  to  do  all  possible  merges  of  strands  in  the 
initial  input  first. 

Definition  13.2  (Merge-all  suite).  Let 

X(A°)  =  {Id}  U  {CompSi  S2  o  Subojsi  /s2G4dG  US1>S2}, 
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where  Us  ljS2  is  a  set  of  most  general  unifiers  o/@(si)|*  and  @(s2)|*  for 
i  =  mm(|0(si)|,  |0(s2)|). 

Then  the  merge-all  suite  is  defined  to  be 

97ta(A°)  =  X(A°)K 

Lemma  13.3  (Initial  nodewise  injectivity).  If  there  is  a  homomorphism  from 

the  user’s  input  A°  A  B°  with  B°  realized,  there  is  an  f  G  (6  o  S0Ta)(A°) 
such  that  f(A°)  is  a  skeleton  and  there  is  a  nodewise  injective  X'  such  that 

f(A°)  B°  and  X  =  X'  o  A^a). 

Proof.  Simply  put,  for  every  pair  of  strands  in  A  that  are  unified  in  B,  we 
merge  one  pair  of  these  strands  at  a  time  in  each  application  of  X  until  no 
more  are  needed.  After  that,  we  choose  Id  e  X.  The  result  is  an  operator 
that  merges  all  strands  in  A°  that  are  merged  in  B°.  After  this,  the  remaining 
factorization  of  the  original  map  must  be  nodewise  injective. 

By  Lemma  10.15,  X1  is  structure-preserving.  Note  that  f(A)  has  only 
inherited  unique  origination  assumptions  from  A  under  A^a). 

□ 

Lemma  13.4.  If  A  --->  B  and  X  is  nodewise-injective,  and  f  =  OE  or  f  = 

y 

Subo-  for  any  a,  such  that  f(A)  --->  B  where  X  =  X'  o  Af,  A'  is  nodewise- 
injective. 

Proof.  For  all  such  operators,  the  nodes  in  f (A)  are  in  one-to-one  correspon- 
dance  with  the  nodes  in  A.  Thus,  if  two  nodes  f(ui)  and  f (n2)  in  f(A)  map 
to  the  same  node  in  B,  then  so  did  ri\  and  n2  in  A,  which  we  assumed  was 
not  the  case.  □ 

This  already  shows  that  much  of  the  proof  of  completeness  holds  if  we  add 
the  requirement  that  A  be  nodewise-injective  to  all  the  coverage  properties. 
What  remains  is  to  handle  those  cases  where  we  use  the  compression  or 
augmentation  primitive  operators.  Fortunately,  these  come  up  in  only  three 
places. 

1.  In  skeletonization,  we  use  the  compression  operator  in  the  merging  suite 
mnp.  However,  the  precondition  for  Lemma  11.7  renders  the  merging 
suite  moot  when  we  require  a  nodewise  injective  A,  because  it  requires 
that  (p(n)  =  (p(n')  for  distinct  nodes  n,  n'. 
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2.  In  listener  augmentation,  we  use  the  augmentation  operator  to  add  a 
listener.  If  the  listener  were  to  map  to  a  node  already  in  the  image  of 
A,  this  would  break  node  injectivity.  Fortunately  during  listener  aug¬ 
mentation,  we  adjust  the  target  B  to  include  a  new  listener  specifically 
to  be  the  image  of  the  new  listener  added  to  A,  so  node-injectivity  is 
always  preserved. 

3.  In  regular  augmentation,  we  may  sometimes  augment  with  a  strand 
whose  image  is  already  in  A  (A).  Specifically,  suppose  that  we  have 
f  =  Subffl  o  /\ugn^aooFR{A^i)tNAME{A)  and  the  corresponding  A',  a  ho¬ 
momorphism  from  f(A*)  to  B*,  but  that  A'  is  not  nodewise-injective. 
Since  A  was  nodewise-injective,  no  node  collision  can  occur  unless  one  of 
the  nodes  is  in  the  new  strand  N AM E (A).  Suppose  (p'(N AM E( A))  = 
<p'(s)  for  some  other  strand  s  G  /a-  Note  that  a1  is  a  unifier  of  s 
with  NAME(A)  up  to  the  minimum  of  their  heights;  let  cr-2  be  a 
most  general  unifier  of  those  terms  more  general  than  o' .  Then  con¬ 
sider  f  =  CompS)JVAM£;/A)  o  Subov,  o  f.  Clearly,  there  is  a  \"  such  that 
A'  =  A"  O  ACompSiArAM£;(A)oSubCT2(A)-  f'  e  On.p(A°)  by  our  definition  of  the 
deorigination  suite. 

((f'(A*),  f'),  A",  B*,  A°)  G  DPCohnp.  Most  conditions  are  easy  to  estab¬ 
lish  given  that  we  already  know  ((f (A*) ,  f) ,  A',B#,  A°)  G  DPCohnp;  the 
only  one  that  is  non-trivial  is  that  A"  is  structure-preserving.  The  proof 
that  A"  must  be  structure-preserving  essentially  follows  the  argument 
that  merging  satisfies  condition  S5  in  Lemma  11.7. 

Finally,  A°  — — >  f^A0).  Again  it  is  obvious  that  Af/(A)  is  structure¬ 
preserving,  and  by  Lemma  7.25,  it  preserves  points  of  origination.  This 

(a  l  IT)  \HCn,p 

allows  us  to  conclude  that  (A°,  Id)  :  [NIDCohGAC^p  =  n'p  > 
NIPCohnp],  where  NIDCohGAC  and  NIPCoh,  respectively,  are  the 
equivalent  coverage  properties  with  the  additional  requirement  that 
the  map  A  be  nodewise-injective. 

Since  on>p  U  C  this  weakened  statement  is  still  strong  enough 
for  use  in  the  proof  of  Lemma  10.11. 

Finally,  we  prove  that  maintaining  nodewise-injective  maps  guarantees 
a  finite  number  of  cohort  steps  to  a  realized  skeleton.  Note  that  since  we 
maintain  nodewise-injective  maps,  we  can  use  only  finitely  many  operators 
that  add  nodes  to  our  current  skeleton  while  maintaining  coverage  of  the 
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target  realized  skeleton.  There  are  only  finitely  many  missing  orderings,  so 
again  we  can  only  use  finitely  many  operators  that  add  additional  orderings. 
Since  no  cohort  step  consists  of  only  Id,  the  only  way  we  can  fail  to  reach  the 
target  (or  something  covering  it)  in  finitely  may  steps  is  for  there  to  be  an 
infinite  sequence  of  substitutions,  each  more  specific  than  the  last,  factoring  a 
specific  substitution.  And  to  be  more  specific,  every  subsequent  substitution 
is  a  unification.  However,  it  is  known  (see  Lemma  A.  10)  that  this  cannot  be 
the  case  for  our  algebra.  Thus,  either  we  reach  our  target  in  a  finite  number 
of  steps,  or  we  reach  something  realized  before  that,  in  which  case  we  reach 
something  covering  our  target  in  finitely  many  steps. 
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A  The  cowt  Algorithm 

This  section  describes  the  algebra  specific  part  of  the  computation  used  in 
regular  augmentation  and  displacement. 

First  we  recall  the  definition  of  the  regular  augmentation  suite: 

Definition  9.2  (Regular  augmentation  suite) 

•V,p(-A  )  {Sub^  °  Aug,nipij  (j0Op^[^ip^iS*} 

where  cr0  £  S0,  cy  £  Si,s*  =  NAME  (A)  and  p,  i,  <r0,  cr1;  S0,  Si  are  as  defined 
below}. 
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•  1Z  e  P  and  i  is  such  that  C-jz(i)  is  defined  and  is  a  send  event.  Let 

C  =  Cn\t. 

•  There  is  a  path  pp  G  CarPath(C'(i))  and  a  term  tt  such  that  either  (i) 
the  endpomt  of  pp  is  a  variable  not  of  sort  MESG  and  tt  =  ep  or  (ii)  the 
e7idpoint  of  pp  is  a  variable  of  sort  MESG  and  tt  e  Targ(Esc(JP,  ep),  ep). 

•  So  is  a  set  of  most  general  unifiers  oftt  with  the  endpoint  of  FR(A,  p,i)(pp)  ■ 

•  Si  is  a  set  of  most  general  maps  oy  such  that  for  all  i'  <  i  and  for  all 
paths  p'  e  CarPath(C'(i/))?  if  the  endpoint  of  <Ti((cr0  °  FR(A,  p,  i))(p')) 
is  oy(ep)  then  cri(jf)  visits  an  element  of  <7i(Esc(^rA,n)  ep))- 

Note  that  it  is  not  obvious  that  Si  exists,  let  alone  that  there  is  a  finite 
set  of  such  maps  we  can  calculate  efficiently. 

Definition  A.l  (Carried  only  within).  Message  t  is  carried  only  within 
set  T  in  t',  if  for  all  carried  paths  p  ending  at  t  in  t' ,  p  visits  T . 

A  message  t  is  carried  only  within  set  T  in  a  set  of  messages  T'  if  for  all 
t'  e  T' ,  t  is  carried  only  within  T  in  t' . 

In  calculating  the  regular  augmentation  suite,  we  must  find  a  set  S\  of 
most  general  maps  oy  such  that  a i{ep)  is  carried  only  within  (Ti(Esc(jpAin,  ep )) 
in  {(o-0  o  F/?(A,p,i))(C|i_i)}. 

Definition  A. 2  (Carried  only  within  problem).  A  carried  only  within  prob¬ 
lem  is  a  triple  (t,T,  T'). 

Definition  A. 3  (Carried  only  within  problem  solution).  The  solution  to  a 
carried  only  within  problem  (t,  T,  Tr)  is  a  complete  set  of  most  general  unifiers 
S  such  that  for  every  o  e  S,  a(t)  is  carried  only  within  o{T)  in  cr(T/). 

The  notion  of  a  carried  only  within  problem  and  its  solution  allows  us  to 
describe  the  CPSA  approach  to  computing  the  regular  augmentation  suite  as 
its  own  algorithm. 

A  unification  problem  is  a  finite  set 

E  =  {A  =  t[, . . .  ,tn  =  t'n}, 

and  a  unifier  of  E  is  a  substitution  a  such  that  cr(ti)  =  crft'f), . . .  ,a{tn)  = 
cr(t'n).  Definitions  in  this  section  follow  [19,  Chapter  9]. 
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When  solving  a  unification  problem  E,  we  rely  on  the  fact  that  the  order 
in  which  the  equations  are  solved  is  irrelevant  in  the  following  sense.  Let 
C(E )  be  a  finite  complete  set  of  unifiers  for  E.  Let  E  =  Eq  U  E\  be  a 
decomposition  of  E,  and  let  S  =  {<7i  o  a0  j  a0  €  C(E0)  A  <Ti  e  C(<t0(L,i))}- 
Then  S'  is  a  hnite  complete  set  of  unifiers  for  E.  Decompositions  E  =  £0U^i 
in  this  section  often  are  such  that  E0  C  E,  and  E\  =  E.  Thus,  solving  a 
unification  problem  can  be  done  from  a  function  unify  that,  on  input  t  and 
t',  finds  a  set  of  most  general  substitutions  a  such  that  aft)  =  aft'). 

In  what  follows,  C({ })  =  { ldot} . 

A  carried  only  within  solution  cannot  be  directly  computed.  Given  terms  t 
and  tf,  the  unify  function  finds  a  most  general  set  of  substitutions  a  such  that 
aft )  =  aft1),  however,  the  set  of  carried  paths  ending  at  t  may  become  larger 
after  we  apply  a  unifying  substitution. 

The  remainder  of  this  section  describes  an  iterative  procedure  that  breaks 
the  cyclic  dependencies.  Each  step  of  the  iteration  improves  an  approxima¬ 
tion  of  a  solution  to  the  problem. 

Definition  A. 4  (Carried  only  within  at  a  substitution).  Message  t  is  carried 
only  within  T  in  t'  at  substitution  a  if  for  all  carried  paths  p  eliding  at  t  in  t', 
a(p)  visits  a(T). 

Each  step  in  the  iterative  procedure  involves  hireling  subsequently  more 
specific  substitutions  such  that  t  is  COW  T  in  t'  at  a  for  each  t'  G  T'.  The 
sense  in  which  each  step  approximates  the  solution  is  captured  by  the  fol¬ 
lowing  lemmas. 

The  algorithm  uses  specific  terms  rather  than  equivalence  classes  of  terms. 

Lemma  A. 5.  <r(CarPath(t,  t'))  C  CarPath(cr(t),  a  ft')). 

Proof.  Let  p  =  (tf  i r)  be  a  path  that  ends  at  t.  Then  afp )  =  (aft'),  it),  which 
is  a  path  that  ends  at  aft).  Moreover,  p  is  a  carried  path  if  and  only  if  afp) 
is.  □ 

The  case  in  which  t  —  x  and  t'  =  (x,y),  and  a  unifies  x  and  y  provides 
an  example  in  which  the  subset  relation  is  proper. 

Lemma  A. 5  can  be  used  to  show  why  the  problem  of  finding  carried  only 
within  solutions  is  non-trivial.  If  aft)  =  aft')  and  a  <  a',  then  o' ft)  = 
a' ft'),  however,  if  aft)  is  COW  a(T)  in  aft')  and  a  <j  o',  one  cannot  conclude 
that  o' ft)  is  cow  a'(T)  in  a' ft'),  because  by  Lemma  A. 5,  it  is  possible  that 
CarPath(cr(t),  aft'))  C  CarPath(cr'(f),  a' ft')). 
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The  implementation  must  consider  all  possible  solutions  to  the  equations. 
It  does  so  by  operating  on  sets  of  terms  and  substitutions.  Given  solutions  S 
to  some  other  equations,  solve(T,  V ,  S )  extends  them  to  include  solutions  to 
one  pair  from  T  and  T’ . 

solve(T,T',S )  = 

{a'  |  t  £  T,1?  £  T' ,a  £  S,a'  £  unify 0(t ,  t' ,  a)} 
unify „(t,  tf,  a)  =  {a’  o  a  \  o’  e  unify  (aft),  a(t'))} 

An  algebra  module  in  CPS  A  exports  unify  0,  not  unify ,  and  substitu¬ 
tion  composition  is  intertwined  with  unification  steps.  Obviously,  if  a1  G 
unify 0(t,  t',  a)  then  a  <j  a1. 

The  implementation  combines  the  solutions  for  single  equations  by  folding 
the  substitutions  produced  by  the  solve  function.  The  set-oriented  version 
of  the  COW  at  a  substitution  function  is: 

fold(t ,  T,  tf  cr)  = 

foldQ(t,  T,  t',  a,  {Id^},  CarPath(cr(f),  cr(t'))) 

foldJt,  T,  t' ,  a,  S,  {})  =  {a'  o  aW  e  A} 
fold0(t,T,t',a,S,{p}UP)  = 
fold0(t,  T,  t\  a,  solve(anc(a(t') ,  p) ,  cr(T) ,  S),  P ) 

The  fold  function  on  (t,  T,  t',  a)  is  meant  to  return  the  set  of  substitutions 
{a'  o  a\a(t)  is  cow  a(T)  in  aft ')  at  a'}.  However,  we  do  not  need  to  prove 
this  behavior  specifically  to  establish  the  theorems  we  want  to  prove.  The 
important  observation  is  that  t  being  COW  T  in  t'  at  a  is  insufficient  to 
guarantee  that  aft)  is  COW  a(T)  in  aft?). 

Iterating  the  fold  function  can  be  used  to  find  contractions.  Potential 
contractions  are  in  cowsft,T,t '),  where 

cows  ft,  T,  t?)  = 
cows 0(t,  T,  t',  Ida) 

cow  Soft ,  T,  t' ,  a)  = 
if  aft)  is  cow  a(T)  at  aft')  then 

else 

let  S  =  fold  ft,  T,  t' ,  a)  in 
UCT'eS  cows  oft,  T,  t' ,  a') 
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We  now  show  the  cows  function  produces  the  unifiers  that  make  up  a 
carried  only  within  solution.  It  may  also  produce  non-minimal  unifiers.  An 
additional  step  is  required  to  remove  these  unifiers. 

The  cows  function  terminates  because  each  step  in  the  iteration  reduces 
the  number  of  variables  in  the  problem  statement.  Several  lemmas  are  re¬ 
quired  to  show  termination. 

Lemma  A. 6.  o'  G  unify0(t,t'  ,o)  and  oft)  ^  oft)  implies  o  <  o' . 

Proof.  We  know  o  <  o'.  Assume  the  negation  of  the  conclusion,  that  there 
is  a  substitution  o"  such  that  o  =  o"  o  o' .  The  first  hypothesis  implies 
oft)  =  oft'),  so  o'foft))  =  o'foft')),  a  contradiction.  □ 

Lemma  A. 7.  o'  G  foldft,T,t’ ,  o)  and  oft)  not  cow  o(T)  in  oft)  implies 
o  <  o' . 

Proof.  If  o(t)  not  COW  o(T)  in  o(t'),  there  is  some  position  p  in 
CarPath((x(f),  cr(f'))  such  that  no  ancestor  of  o(t')  @p  is  equivalent  to  any 
member  of  o(T).  We  know  o  <j  o'  (by  observation,  all  outputs  of  fold  extend 
the  initial  o),  so  assume  the  negation  of  the  conclusion,  that  there  is  a  substi¬ 
tution  o"  such  that  o  =  o" o  o’ .  By  the  fact  that  o'  G  fold(t ,  T,  t',  o)  we  know 
that  t  is  cow  T  in  t'  at  o',  so  there  is  a  t"  G  T  and  a  proper  prefix  p'  of  p  such 
that  oft")  =  o'ft@p').  Thus,  o{t")  =  o’foft"))  =  o'fo'ft@p'))  =  oft@p') 
which  contradicts  what  we  know  about  p,  as  o(t'  @p')  =  o(t')  @p'  is  an  an¬ 
cestor  of  oft)  equivalent  to  oft')  which  is  in  o{T). 

□ 

Now  we  prove  our  three  main  results  about  cows.  We  give  sufficient 
conditions  to  guarantee  that  cows  terminates  (Theorem  A. 8),  we  prove  that 
cows  gives  answers  with  the  property  we  want  (Theorem  A. 9),  and  we  prove 
that  cows  produces  a  complete  set  of  such  outputs  (Theorem  A.  11). 

Theorem  A. 8.  If  the  algebra  21  has  variable-reducing ,  fmitary  unification, 
the  function  cows(t,T,t')  terminates  on  all  inputs. 

Proof.  By  an  examination  of  fold,  each  substitution  produced  is  a  unification 
of  a  set  of  equations.  By  Lemma  A. 7,  each  substitution  produced  is  strictly 
less  general  than  Ida-  Therefore,  every  substitution  produced  by  fold  is  a 
non-trivial  unification.  Since  every  unification  is  variable-reducing,  there  is  a 
maximum  number  of  successive  non-trivial  unifications  that  can  be  applied 


before  further  unification  becomes  impossible,  namely,  the  number  of  vari¬ 
ables  appearing  in  the  original  t,  T,  and  t'.  Furthermore,  since  the  unification 
is  Unitary,  we  know  that  every  node  of  the  tree  of  substitutions  we  explore 
has  a  finite  branching  factor.  Thus,  the  entire  tree  of  potential  solutions  is 
finite,  so  cows  terminates.  □ 

Theorem  A. 9.  o  G  cowsft, T,t')  implies  oft)  is  COW  cr(T)  in  crft'). 

Proof.  We  prove  this  by  structural  induction  on  the  execution  of  cows.  If 
o  G  cows{t,T,t')  and  cowsq  outputs  without  recursing  then  o  =  Id^  and  the 
property  holds  by  the  required  condition  in  the  algorithm. 

If  a  G  cows(t,T,t')  and  cows0  outputs  after  recursing,  then  3 a',  a"  such 
that  o  —  o"  o  o'  where  o'  G  S  and  o"  G  cows0(t,T,t' ,o').  By  inductive 
assumption,  o"(o'(t))  is  COW  cr'^cr^T))  in  cr'^cr' (£')).  This  proves  that  oft) 
is  COW  cr(T)  in  oft').  □ 

Lemma  A.  10.  For  any  strand  space  algebra  with  variable-reducing  unifica¬ 
tion,  the  following  holds:  Let  ld2t  =  cr0  <  o\  <j  . . .  be  an  infinite  sequence  of 
substitutions  all  generated  over  the  same  finite  set  of  variables,  such  that  for 
every  Oi,  Oi<o  and  such  that  every  o\  (where  oi+ 1  =  o[oot)  is  a  most  general 
unification.  Then  for  at  most  finitely  many  i  >  0,  a*  <1  cq+, . 

Proof.  Let  {x\, . . . ,  xn}  be  the  finite  set  of  variables  over  which  the  sequence 
of  substitutions  is  defined.  For  each  i,  define  u;  to  be  {Vars^ofixi, . . .  ,xn))| 
with  v0  =  n,  and  let  v  =  \Vars(o(xi, . . . ,  xn))|.  For  each  i,  we  know  that 
o[  is  a  most  general  unification;  if  it  is  a  unification  of  terms  which  are  all 
already  equivalent  then  o[  must  be  a  renaming  and  then  it  cannot  be  the  case 
that  Oi  <  ol+ 1 .  If  o[  is  a  unification  of  one  or  more  pairs  of  non-equivalent 
terms,  it  is  variable-reducing,  so  Vi  >  vi+\.  However,  this  sort  of  step  can  be 
taken  at  most  n  —  v  times.  □ 

Theorem  A.  11.  If  the  algebra  21  has  variable-reducing  unification,  oft)  is 
COW  cr(T)  in  oft')  implies  there  exists  a  substitution  o'  such  that  o'  <3  o  and 
o'  G  cowsft ,  T,  t').2 

Proof.  We  aim  to  define  a  sequence  of  substitutions  ld2t  =  o0  <  0\ . . .  < 
on  <  o,  such  that  an(t)  is  COW  on{T )  in  on(t'),  where  each  is  produced 

2Note  that  cowsft,  T,t')  is  a  well-defined  set  regardless  of  whether  a  computer  could 
calculate  it  in  a  finite  number  of  steps. 
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incrementally  during  the  cows  computation,  where  on  will  serve  as  the  o'  in 
the  theorem. 

By  saying  that  a,;  is  “produced  incrementally  during  the  cows  computa¬ 
tion”  we  mean  that  (i)  if  i  >  0,  Oj  is  an  output  of  fold(t,T,t' ,  and 

(ii)  if  i  <  n,  cows0(t,T,t' ,  o^  is  a  recursive  call  within  the  execution  of 
cows0{t ,  T,  t',  Id^). 

We  develop  the  sequence  inductively.  Note  that  o0  =  Id^  <j  o  for  any 
o,  and  that  our  initial  call  of  cows(t,T,t')  establishes  that  we  run  cowso  on 
(f,T,  t',o0). 

Suppose  that  we  have  Id^  =  a0<. .  .<ai<o  and  that  we  run  cows0(t ,  T,  t1,  a,). 
If  &i{t)  is  COW  Uj(T)  in  Oi(t')  then  n  —  i  and  our  sequence  is  complete.  Oth¬ 
erwise,  we  calculate  S  =  fold(t,T,t'rOi)]  we  wish  to  prove  that  there  exists 
a  ai+\  G  S  such  that  cr*  <  ol+\  <  cr. 

By  Lemma  A. 5,  we  know  that  CarPath(crj(f),  <Ji(t'))  C  CarPath(cr(£),  cr(t')). 
Let  pi, .. .  ,pk  be  the  positions  in  CarPath(cq(£),  cq(£')).  In  fold0,  the  set  S 
initially  contains  ip o  =  Id^;  note  that  ipo  o  <  a.  In  the  next  paragraph  we 
show  how  to  define  a  sequence  of  substitutions  tpo  < . . .  <j  p>k  hi  S  in  successive 
calls  to  fold0,  such  that  pi  o  cp  <  cr.  This  sequence  will  serve  to  bridge  the 
difference  between  a*  and  <Tj+1. 

Suppose  that  tpi  G  S  in  fold0  when  P  consists  of  pi+i, . . .  ,Pk,  and  that 
Pi  °  cr.i  <  cr.  Since  a(t)  is  COW  cr(T)  in  cr(t'),  there  exists  a  proper  prefix  p'l+1 
of  pi_ |_i  and  a  G  T  such  that  a  {if  @p^+1)  =  <r(te).  Note  that  <Ti(te)  G  cr^T), 
and  that  cqff')  @  p'l+1  G  anc(<7i(t')  @  pi+ 1)).  Thus,  fold0  calls  solve(X,Y,  S) 
where  crj(fe )  G  X,  <ji(tr  @p'l+1)  G  Y,  and  pi  G  S. 

Write  a  —  jpi  o  (pt  o  op.  note  that  rfi  is  a  unifier  of  pi(te)  and  pi(t'  @pj+1). 
Thus,  there  exists  a  ^  G  unify(pi(te),  pi{t'  @  p[+1))  such  that  ij}[  <  tpi-  Let 
Pi+i  =  i])'i  o  pp  note  that  o  pi  <  tpi  o  ipt  so  cr,  <  pi  <  pi+\  <  o.  Note  further 
that  pi+ 1  G  solve(X,  Y,  S )  and  thus  pi+ 1  is  in  S  in  fold0  when  P  consists  of 
Pl+2 ,  •  •  •  ,Pk- 

Consider  pp-  note  that  Oi  <pk  ^cr  and  that  pk  G  S  in  fold0  when  P  =  {}, 
so  pk  G  fold(t,T,t',Oi).  Let  ol+  \  =  pk.  Because  pk  is  in  the  output  of 
fold(t ,  T,  t',  Oi),  note  that  we  make  a  recursive  call  to  cows0  on  (t,  T,  t! ,  oi+ 1). 

In  this  way  we  dehne  a  (potentially  infinite)  sequence  Id^  =  cr0<oi  <. . .  < 

Oi  <  . . .  <  o.  Moreover,  by  Lemma  A.  7,  we  know  that  oo  <  . . .  <  o^  <1 . . .  <  o. 
Note  that  each  substitution  is  produced  by  composing  a  unification  with  the 
previous  substitution.  Thus,  by  Lemma  A.  10,  the  sequence  must  be  finite, 
with  on  being  the  last  substitution  before  o.  But  the  sequence  can  only 
end  at  on  if  on{t )  is  COW  on{T)  in  on(t').  If  this  is  the  case,  then  in  the 


recursive  call  to  cows  on  on(t),on(T),onft'),  Id^  is  returned,  so  on  o  ld<a  = 
crn  G  cows(t,T,t').  This  completes  the  proof,  with  o'  =  on.  □ 

The  cows  function  finds  solutions  to  a  single  carried  only  within  problem. 
To  calculate  substitutions,  we  need  the  following  function,  cowt,  which  finds 
solutions  to  a  set  of  carried  only  within  problems. 

cowt  ft,  T,  T')  = 

cows  ft,  T,  concatfT ')) 

where  concatfT')  is  a  concatenation,  by  successive  pairings,  of  the  mes¬ 
sages  in  T' . 

Lemma  A. 12.  cowt  complete  terminates  cowt(t,T,T')  is  a  most  general  set 
of  substitutions  o  such  that  oft)  is  carried  only  within  o(T )  in  o(Tr),  and 
cowt(t,T,T')  can  be  calculated  infinitely  many  steps. 

Proof.  It  should  be  obvious  that  cowt  will  terminate.  Note  that  the  carried 
paths  of  concat{T')  are  in  one-to-one  correspondance  with  the  carried  paths 
of  members  of  T'\  this  establishes  that  cowt  gives  a  complete  set  of  most 
general  substitutions  such  that  oft)  is  carried  only  within  o{T)  in  o(Tr), 
because  cows  is  complete.  □ 


